VPN Flapping Leads To Bogus Routing
(2018-01-30)
Problem
Two computers, A and B, trying to connect across a site-to-site VPN to computers C and D.Computer A cannot see C but can see D. Computer B can see both computers.Doing a traceroute from A to C shows that the packet is going out the WAN port instead of the VPN. Traceroute from A to D shows the VPN being used. All traffic from B is using the VPN appropriately.Clearing the session table of all sessions that involve A clear the problem for some period of time; the problem might or might not return, and when it does it might affect B's communication with D instead of A's communication.Root cause
Site to site VPN is flapping.When the VPN is down, there's no route to the remote network, so the default route out the WAN is used and a session is set up. Now that the session is set up, subsequent communication will be sent using this session, even when the VPN returns. The problem only affects computers attempting to communicate while the VPN is in the down state, thus the seemingly random distribution of problems.Solution
Fix the site to site VPN.Masking the problem
Put a extremely undesired blackhole route on the firewall for packets destined for the VPN network. When the VPN is down, the packets get blackholed and no session is set up. When the VPN returns, normal service resumes. This doesn't fix sessions getting dropped when the VPN flaps, but it does solve computers getting hung out to dry for long periods of time.In general I'm adding black hole routes for the RFC-1918 networks to my firewalls now under the premise that I shouldn't be leaking those networks into the internet anyways. As a side-effect it means that you don't end up with bogus information in the session table.config router static
edit 0
set status enable
set dst 10.0.0.0 255.0.0.0
set distance 254
set weight 0
set comment "Don't Leak RFC 1918"
set blackhole enable
next
edit 0
set status enable
set dst 192.168.0.0 255.255.0.0
set distance 254
set weight 0
set comment "Don't leak RFC 1918"
set blackhole enable
next
edit 0
set status enable
set dst 172.16.0.0 255.240.0.0
set distance 254
set weight 0
set comment "Don't leak RFC 1918"
set blackhole enable
next
end
no comments |
post comment
Virtual Dave Megaplex:
Home Page- This wiki's start page
- Send Feedback To Dave
Logged in Users: (0)
Recently Changed
Check Internet Service Database Match- Device-Local Certificate Expired
- CLI Policy Lookup
- DH Selection For IPsec VPNs
- Scan For Newly Added Disk
- nmap
- Seconds Since Epoch to Local Time
- Link Monitor
- DH group to OAKLEY_GROUP table
- Fire Eater
- start
- FortiClient Error Codes
- dhparams Generation
- SSL Certificate Bundles
- ufw
- Grow A LVM Partition
- Creating Users
- whoami
- list databases
- 2023
- 2022
- 2019
- 2018
- 2017
- 2011
- 2010
- 2008
- 2001
- 2000
- 1999
Editing: snipsnap-help, Image Macro(Et auditum est, et idcirco ego nunc simulare)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.