Sorry for a long post,
I have a fairly simple pix VPN network extension to another site (No
internet access, just vpn).
I added two more sites, and enabled web access via the addicion of a leaf
box.
my setup looked like this (excuse ascii art please)
To internet router (three external vpn sites)
+---------------------------------------------------|-------------+
|CISCO hub/switch ports 1-3 VLAN 1 (external) (1)(2)(3) |
+------------------------------------------------/-----\----------+
/ \ (vpn
only, one site)
The leaf box provides all non vpn +------*-+ +-*-------+
traffic and endpoints two additional |LEAF box| |Cisco Pix|
vpn sites. Cisco destins one site. +------*-+ +-*-------+
\ /
+------------------------------------------------\-----/---------+
|CISCO hub/switch ports 4-24 VLAN 2 (internal) (4) (5)(6789...)|
+--------------------------------------------------------///|\\\-+
..Users..
All outbound traffic arrives at my site and exits to outside world vie the
leaf box.
the * is my location
browsing traffic
^
C--*--B
| /
|/
D
Scenario.
- Local users default route was to the PIX. Pix handles traffic for ONE VPN
only (to site B above)
- The PIX had a route added to forward the rest of the traffic to the leaf
box.
- LEAF box had its default route to the outside world and a static route to
the internal users via the PIX's internal address. the LEAF box is in a VPN
mesh with two sites (C and D above)
- Internal vlan is contigous at layer2 split into two ip subnets.
When I added the Leaf box I discovered the following glitches.
NOTE: normal VPN traffic between PIX and site B worked flawlessly
throughout.
1. I would see the IPSEC traffic initiated. (both ends negotiated w/o
problems).
2. Usually one or two packets of user data would make it through the tunnel
to the remote vpn box.
3. all subsequent user traffic would stop working until the cisco pix was
rebooted, and the first four or so packets would work and the stop again
until the next reboot.
also.
4. all local normal web destination traffic, http, ftp etc. would FAIL.
(three way handshake OK, first packet OK then NOTHING. Same for SITE B.
5. all VPN-packets arriving from Sites C & D could browse the web w/o
problem.
6. disconnecting the PIX's external interface killed the SITE B vpn and ALL
OF THE OTHER SITES HTTP AND LOCAL HTTP TRAFFIC WORKED.
DISCOVERY (using a sniffer)
Local user Arps the pix,
Pix arps the leaf, forwards SYN to leaf.
Leaf box arps the router, forwards the SYN
router sends back SYN-ACK to Leaf box
leaf box returns the SYN-ACK to the local user
user sends data to PIX
****
The PIX BYPASSED the Leaf box and sends untranslated (un-natted and
unencrypted data) OUT TO THE INTERNET!!!!!!!!
****
My Solution - split the vlans to two physically seperate cisco switches.
My theory on the failure: the PIX recognized the same destination address of
the user data on its external interface and assumed the a traffic loop of
some kind.
As I did not manage the Cisco, nor the switches in my environment I do NOT
know the versions or builds used. (or even if the behaviour is fixed in
various IOS releases)
*WHEW*
Anyone ever encounter this before? I had scratched my head to bleeding
until my sniffer revealed the PIX's missdoings.
Myles Buckley
-------------------------------------------------------
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
