Re: Deleting an Interface Alias

Bob_Zimmerman · ‎2024-08-15

I hit a "fun" issue today. Already reported it to the TAC, but thought I'd share. I added an alias to an interface to help capture some traffic. When I tried to delete the alias, it instead deleted the main IP from the interface. I saw it on R81.20 jumbo 41 in production and reproduced it here on an R81.10 jumbo 150 lab firewall:

[Expert@TestFW]# ip addr show | grep eth2
3: eth2: <NO-CARRIER,BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000

[Expert@TestFW]# clish

TestFW> set interface eth2 ipv4-address 10.20.30.40 mask-length 24

TestFW> add interface eth2 alias 172.16.32.64/32

TestFW> save config

TestFW> exit

[Expert@TestFW]# clish -c "show configuration" | grep eth2
set interface eth2 state on 
set interface eth2 auto-negotiation on 
set interface eth2 ipv4-address 10.20.30.40 mask-length 24 
add interface eth2 alias 172.16.32.64/32 

[Expert@TestFW]# ip addr show | grep eth2
3: eth2: <NO-CARRIER,BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    inet 10.20.30.40/24 brd 10.20.30.255 scope global eth2
    inet 172.16.32.64/32 brd 172.16.32.64 scope global eth2:1

[Expert@TestFW]# clish

TestFW> delete interface eth2 alias 172.16.32.64/32

TestFW> save config

TestFW> exit

[Expert@TestFW]# ip addr show | grep eth2
3: eth2: <NO-CARRIER,BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    inet 172.16.32.64/32 brd 172.16.32.64 scope global eth2:1

[Expert@TestFW]# clish -c "show configuration" | grep eth2
set interface eth2 state on
set interface eth2 auto-negotiation on
add interface eth2 alias 172.16.32.64/32

I've tried it with numbers which don't correspond to an address on any interface, and letters which don't correspond to an interface name. Always the same result. It looks like "delete interface <name> alias <almost anything>" just gets translated to "delete interface <name> ipv4-address". This makes dealing with aliases wildly dangerous.

PhoneBoy · ‎2024-08-16

That definitely sounds like a bug.

Curious why you used an interface alias here to “help capture some traffic.”
Maybe a manual proxy arp would have had worked instead?

Bob_Zimmerman · ‎2024-08-16

Somebody reported a problem connecting to some website. In packet captures, no public address associated with this site was ever tried, but a connection was attempted to an internal address which doesn't exist in the environment. Nobody on the application team knew what that was, so I had to find a way to get the request the client was trying to make of the non-existent thing.

Enter an alias IP and netcat. That allows the firewall to respond with the SYN-ACK to get the client's actual request (HTTP GET, TLS Client Hello with SNI, etc.), to point more concretely to what could be causing the connection.

the_rock · ‎2024-08-16

I just tested it in the lab, R81.10. R81.20, R82, different interfaces, worked just fine, I could delete it from web UI, clish, no problems at all.

Andy

Bob_Zimmerman · ‎2024-08-16

You can delete the alias when you specify eth2:1 or whatever, but if you specify any other value at all, it deletes the primary IP instead.

the_rock · ‎2024-08-16

Im not following, sorry...can you clarify please?

Andy

Bob_Zimmerman · ‎2024-08-16

Bring up an interface. Give it an IPv4 address. It doesn't need to actually be connected to anything.
Add an alias to the interface.
Save config, exit clish, check the interface IPs via ifconfig or 'ip addr show'.
Go back into clish and run 'delete interface <name> alias thisAliasDoesNotExist'.
Exit clish and check the interface IPs again.

the_rock · ‎2024-08-16

will test it soon.

the_rock · ‎2024-08-16

Since I cant add one more nic to vm now, can i test with new vlan?

Bob_Zimmerman · ‎2024-08-16

Just tried it and yes, an alias on a subinterface shows the same behavior.

TestFW> add interface eth2 vlan 50
TestFW> set interface eth2.50 ipv4-address 10.20.30.40 mask-length 24
TestFW> add interface eth2.50 alias 192.168.144.120/32
TestFW> save config
TestFW> exit

[Expert@TestFW]# ip addr show | grep eth2.50
13: eth2.50@eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN qlen 1000
    inet 10.20.30.40/24 brd 10.20.30.255 scope global eth2.50
    inet 192.168.144.120/32 brd 192.168.144.120 scope global eth2.50:1

[Expert@TestFW]# clish
TestFW> delete interface eth2.50 alias thisAliasDoesNotExist
TestFW> exit

[Expert@TestFW]# ip addr show | grep eth2.50
13: eth2.50@eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN qlen 1000
    inet 192.168.144.120/32 brd 192.168.144.120 scope global eth2.50:1

the_rock · ‎2024-08-16

Seems okay to me?

Andy

Using username "admin".
admin@172.16.10.249's password:
Send automatic password
Access denied
admin@172.16.10.249's password:
Last login: Thu Aug 15 14:21:03 2024
[Expert@CP-GW:0]#
[Expert@CP-GW:0]# clish
CP-GW> show interface

eth0 eth1 eth2 lo
CP-GW> sh interface eth2
CLINFR0329 Invalid command:'sh interface eth2'.
CP-GW> sh interface eth2
CLINFR0329 Invalid command:'sh interface eth2 '.
CP-GW> show interface eth2
state on
mac-addr 50:01:00:07:00:02
type ethernet
link-state link up
mtu 1500
auto-negotiation off
speed 1000M
ipv6-autoconfig Not configured
monitor-mode off
duplex full
link-speed 1000M/full
comments
ipv4-address 192.168.10.249/24
ipv6-address Not Configured
ipv6-local-link-address Not Configured

Statistics:
TX bytes:0 packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:38955375371 packets:93456625 errors:0 dropped:0 overruns:0 frame:0

SD-WAN: Not Configured
CP-GW>
CP-GW> add interface eth2 vlan 77
CP-GW> set interface eth2.77 ipv4-a
CP-GW> set interface eth2.77 ipv4-address 11.12.13.14 mask-le
CP-GW> set interface eth2.77 ipv4-address 11.12.13.14 mask-length 24
CP-GW> add interface eth2.77 alias
CP-GW> add interface eth2.77 alias 44.45.46.47/32
CP-GW> save config
CP-GW> exit
[Expert@CP-GW:0]# ip addr show | grep eth2.77
7: eth2.77@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 11.12.13.14/24 brd 11.12.13.255 scope global eth2.77
inet 44.45.46.47/32 brd 44.45.46.47 scope global eth2.77:1
[Expert@CP-GW:0]#
[Expert@CP-GW:0]# clish
CP-GW> delete interface

eth0 eth1 eth2
eth2.77 lo
CP-GW> delete interface eth2.77
6in4 - Delete 6in4
alias - interface Interface
ipv4-address - Interface IP address
ipv6-address - Interface IPv6 address
loopback - delete loopback interface
sdwan - Deletes the SD-WAN configuration of the interface
vlan - Delete VLAN
CP-GW> delete interface eth2.77 alias
CP-GW> delete interface eth2.77 alias eth2.77:1
CP-GW> delete interface eth2.77 alias eth2.77:1
CP-GW> save config
CP-GW> exit [Expert@CP-GW:0]# ip addr show | grep eth2.77
7: eth2.77@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 11.12.13.14/24 brd 11.12.13.255 scope global eth2.77
[Expert@CP-GW:0]#

Bob_Zimmerman · ‎2024-08-16

If you enter the correct value (in your case, eth2.77:1), sure, the alias gets deleted.

If you enter no value, it gives you an error.

If you enter any of the infinite number of incorrect values (say you make a typo and you tell it to 'delete interface eth2.77 alias eth2.77.1' instead of eth2.77:1), it deletes the main IP instead of complaining that it couldn't find the alias.

the_rock · ‎2024-08-16

Ah yes, I see what you mean, correct. That definitely could be a bug.

Andy

the_rock · ‎2024-08-16

Dang, thats crazy, I totally see your point now. I just did below and it did the same thinng.

Andy

CP-GW> delete interface eth2.77 alias testalias
CP-GW> save config
CP-GW> exit
[Expert@CP-GW:0]# clish
CP-GW> sh interf
CLINFR0329 Invalid command:'sh'.
CP-GW> show interf
interface - Show a specific interf ace's configurations
interfaces - Lists all interfaces
CP-GW> show interface
interface - Show a specific interf ace's configurations
interfaces - Lists all interfaces
CP-GW> show interface

eth0 eth1 eth2
eth2.77 lo
CP-GW> show interface eth2.
CP-GW> show interface eth2.77
state on
mac-addr 50:01:00:07:00:02
type vlan
link-state not available
mtu 1500
auto-negotiation off (eth2)
speed 1000M (eth2)
ipv6-autoconfig Not configured
monitor-mode Not configured
duplex full (eth2)
link-speed 1000M/full (eth2)
comments
ipv4-address Not Configured
ipv6-address Not Configured
ipv6-local-link-address Not Configu red

Statistics:
TX bytes:0 packets:0 errors:0 dropp ed:0 overruns:0 carrier:0
RX bytes:0 packets:0 errors:0 dropp ed:0 overruns:0 frame:0

SD-WAN: Not Configured
CP-GW>

Bob_Zimmerman · ‎2024-10-22

There's a fix for this: PMTR-108479. In my testing so far, it works well. Hopefully it will get integrated in a jumbo soon.

Robin_H · ‎2025-04-04

Today I had a similar issue (R81.10 on CP3100 Cluster).

Testing whether the ISP configured new public IPs for us, I added an alias on the internet facing interface.

After deleting the alias interface, the default route was gone. Quickest recovery was disabling and enabling the internet facing interface via webUI.

Edit: just found sk89980, alias configuration is not officially supported in clusters. I didn´t notice this in the manual. So maybe TAC won´t care much about it anyways?!

Are you a member of CheckMates?

Deleting an Interface Alias