For When You Can't Have The Real Thing
[ start | index | login ]
start > FortiOS > 5.4 > VPN Flapping Leads To Bogus Routing

VPN Flapping Leads To Bogus Routing

Created by dave. Last edited by dave, 21 days ago. Viewed 125 times. #1
[edit] [rdf]
labels
attachments
(2018-01-30)

Problem

Two computers, A and B, trying to connect across a site-to-site VPN to computers C and D.

Computer A cannot see C but can see D. Computer B can see both computers.

Doing a traceroute from A to C shows that the packet is going out the WAN port instead of the VPN. Traceroute from A to D shows the VPN being used. All traffic from B is using the VPN appropriately.

Clearing the session table of all sessions that involve A clear the problem for some period of time; the problem might or might not return, and when it does it might affect B's communication with D instead of A's communication.

Root cause

Site to site VPN is flapping.

When the VPN is down, there's no route to the remote network, so the default route out the WAN is used and a session is set up. Now that the session is set up, subsequent communication will be sent using this session, even when the VPN returns. The problem only affects computers attempting to communicate while the VPN is in the down state, thus the seemingly random distribution of problems.

Solution

Fix the site to site VPN.

Masking the problem

Put a extremely undesired blackhole route on the firewall for packets destined for the VPN network. When the VPN is down, the packets get blackholed and no session is set up. When the VPN returns, normal service resumes. This doesn't fix sessions getting dropped when the VPN flaps, but it does solve computers getting hung out to dry for long periods of time.

In general I'm adding black hole routes for the RFC-1918 networks to my firewalls now under the premise that I shouldn't be leaking those networks into the internet anyways. As a side-effect it means that you don't end up with bogus information in the session table.

config router static
     edit 0
         set status enable
         set dst 10.0.0.0 255.0.0.0
         set distance 254
         set weight 0
         set comment "Don't Leak RFC 1918"
         set blackhole enable
     next
     edit 0
         set status enable
         set dst 192.168.0.0 255.255.0.0
         set distance 254
         set weight 0
         set comment "Don't leak RFC 1918"
         set blackhole enable
     next
     edit 0
         set status enable
         set dst 172.16.0.0 255.240.0.0
         set distance 254
         set weight 0
         set comment "Don't leak RFC 1918"
         set blackhole enable
     next
     end
no comments | post comment

Virtual Dave Megaplex:

Internet Explorer 6 Users >>Click Here

(read this note about local search)

Logged in Users: (0)
… and 5 Guests.


Editing: snipsnap-help, Image Macro

(Et auditum est, et idcirco ego nunc simulare)

Installed 7 years and 38 days ago
Powered By >>SnipSnap Version 1.0b1-uttoxeter

This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt