This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Martijn
Advisor
Advisor
‎2021-03-01 03:11 AM

OSPF and Local Address Spoofing

Hi All,

On a 44K dual chassis setup in VSX mode we are seeing drops by Local Address Spoofing on all Virtual Systems for OSPF packets. OSPF seems te work and routes are learned, but the log fills up with these log messages. It is not just a drop, but also a connection alert.

So, the source is the gateway and destination the OSPF network address.

We have checked many knowledge base articles, but none of them seems relevant. With fw monitor we looked at the traffic and we are seeing the OSPF packet leave the gateway (o, O), but also see it enter the gateway (i, I).

When we configure the parameyet fw_local_interface_anti_spoofing to 0, the message are gone.

We have checked routes which are OK and there are no host on the network with IP addresses that belong to the gateways.

Software version is R80.20SP take 304.

Not sure what the cause is and how we can solve this.

Regards,
Martijn

0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-03-01 03:28 AM

Did you involve TAC already ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Martijn
Advisor
Advisor
‎2021-03-01 06:17 AM
In response to G_W_Albrecht

Hello,

I did not involve TAC yet. Customers policy does not allow me to send any data (cpinfo, logs, debugs, traces) outside the organization. So CheckMates and SK atricles are the first options for me.

If TAC is needed, I can open a SR but I am limited on what I can tell and provide them.

Martijn

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-01 08:23 AM

The fact that the traffic is re-entering the gateway is what is causing the local interface spoofing checks to be triggered.
Disabling the check is one option, figuring out what’s causing the traffic to re-enter the gateway is the other.

0 Kudos
andymong
Participant
‎2021-04-13 02:08 AM

What device are you pairing OSPF with ? 

0 Kudos
Martijn
Advisor
Advisor
‎2021-11-09 11:43 PM

Hi All,

Yesterday I was onsite again and created some Wireshark traces. And we noticed the following.

The gateway is sending OSPF packets and source IP and source MAC is the gateway, so all OK there.
But at the same moment we see another OSPF packet with source IP the gateway, but with a completely different source MAC-address.

The MAC-address starts with 00:1c:99 and this seems to be the vendor Shunra Software. This is a unknown vendor to me. Is the 44K solution using technology from Shunra Software? Maybe the SSM's?

Or does anyone know who and what this vendor is?

Regards,
Martijn 

0 Kudos
Chris_Phillips
Participant
‎2022-06-14 08:13 AM
In response to Martijn

@Martijn @PhoneBoy 

did this get any further?

i'm seeing ospf anti spoof drops from our vsx peering with ACI and we note routes converging from every few hours to every day.

would be interesting to know if this was is still an issue for others on here.

our vsx is running 80.10.


0 Kudos
Martijn
Advisor
Advisor
‎2022-06-22 06:42 AM
In response to Chris_Phillips

Hi Chris,

We are on R81.10 take 45 now and we didn't see this anymore in the logs.

Not sure what caused it and what solved it.
Because there was no problem on the network, we did not put much time in investigating the issue.

Regards,
Martijn

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events