topic Re: ISP redundancy: reply to sender MAC instead of gateway MAC in Firewall and Security Management

ISP redundancy: reply to sender MAC instead of gateway MAC

ErikV — Thu, 20 Apr 2023 10:08:30 GMT

Hi all,

I'm having a connectivity problem since we have connected a new ISP. It seems they have two routers of which one owns the default gateway IP. Nothing strange about that.

But looking at incoming traffic, I see packets arriving for my firewall IP, source IP outside of my directly connected subnet, with different source MAC addresses. Per flow the firewall seems to reply to the source MAC it received the previous packet from, not the ARP entry of the default gateway. I suppose this has something to do with using ISP redundancy, and wanting to have symmetrical flows.

But in this case I suspect it is causing problems. It seems the replies that are sent to other MAC addresses than the MAC of our default gateway (= probably the MAC of the standby router, that still delivers incoming traffic) is dropped at the ISP, since I see multiple SYN-ACKs sent to that MAC and then the session times out. All replies sent to the gateway's MAC address are properly handled.

We are using active-standby ISP redundancy, so in this case there is no need (I think) for this feature, and I would prefer to just reply to the default gateway's MAC instead of the original sender. At least I would like to try to see if this is indeed the cause of our connectivity issues.

Does anyone know more about this behavior, and preferably also know how to switch it off while still using ISP redundancy?

Thanks,

Erik

Re: ISP redundancy: reply to sender MAC instead of gateway MAC

the_rock — Thu, 20 Apr 2023 14:14:56 GMT

Are you able to attach screenshot of the isp redundancy config on the gateway as per below? Please blur out any sensitive info. I work often with customer using ISPR and only issue we had with it was that few months ago, R&D had to give us updated script for it, but other than that, all works fine.

Example below of what I was looking for...

Andy

Re: ISP redundancy: reply to sender MAC instead of gateway MAC

ErikV — Thu, 20 Apr 2023 14:41:50 GMT

Hi Andy,

Thanks for looking into this. See screenshot below! It's not really an issue with ISP redundancy, replying to the MAC address from which the initial packet was received makes sense to keep the traffic flows symmetrical. It's just that our ISP does not seem to accept traffic sent to the standby router, although the standby router does deliver traffic to our firewall.

Regards,

Erik

Re: ISP redundancy: reply to sender MAC instead of gateway MAC

the_rock — Thu, 20 Apr 2023 15:05:28 GMT

Ok, got it...do you see any drops if you do the traffic capture?

Re: ISP redundancy: reply to sender MAC instead of gateway MAC

ErikV — Thu, 20 Apr 2023 21:21:14 GMT

No drops, just retransmits of the SYN-ACK. Going out to the ISP, and no answer...

Regards,

Erik

Re: ISP redundancy: reply to sender MAC instead of gateway MAC

PhoneBoy — Fri, 21 Apr 2023 20:43:14 GMT

Not sure ISP Redundancy is involved here (or it's not clear if it is).
Recommend a TAC case to assist: https://help.checkpoint.com