Project

General

Profile

Actions
Copy link

Regression #14059

closed

Old states are still used after a route change

Added by Marcos M about 1 year ago. Updated 5 months ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:
All

Description

It's possible for traffic meant to be sent over an IPsec policy tunnel to instead go out of the WAN. This can happen when for example:
  • The relevant child SA has not yet been installed.
  • The tunnel is currently disabled.
  • The IPsec service is stopped.

When this happens, states are created on the WAN. In the following example, lagg0.6 is the WAN. The top two states were created when there was an outage with the tunnel, and the bottom two states' age closely match the firewall's uptime.

all udp 10.102.242.3:5060 <- 10.103.242.116:5060       NO_TRAFFIC:SINGLE
   age 05:29:11, expires in 00:02:24, 2899:0 pkts, 1096243:0 bytes, rule 128
   id: b198066400000000 creatorid: d0dc7a29 gateway: 0.0.0.0
   origif: lagg0.10
all udp 198.51.100.234:21991 (10.103.242.116:5060) -> 10.102.242.3:5060       SINGLE:NO_TRAFFIC
   age 05:29:11, expires in 00:02:24, 2852:0 pkts, 1078191:0 bytes, rule 74
   id: b298066400000000 creatorid: d0dc7a29 gateway: 198.51.100.233
   origif: lagg0.6

all udp 10.102.242.3:5060 <- 10.103.242.117:5060       NO_TRAFFIC:SINGLE
   age 21:06:18, expires in 00:02:28, 16580:0 pkts, 3820099:0 bytes, rule 128
   id: dd08f46300000000 creatorid: d0dc7a29 gateway: 0.0.0.0
   origif: lagg0.10
all udp 198.51.100.234:57200 (10.103.242.117:5060) -> 10.102.242.3:5060       SINGLE:NO_TRAFFIC
   age 21:06:18, expires in 00:02:28, 16519:0 pkts, 3806685:0 bytes, rule 74
   id: de08f46300000000 creatorid: d0dc7a29 gateway: 198.51.100.233
   origif: lagg0.6

In 22.05 once the relevant child SA is installed, the firewall correctly replaces the states and sends the traffic through the tunnel.

In 23.01, the states remain active on WAN regardless of the child SA being installed afterwards. While the bad states exist and the child SA is installed, running a packet capture on enc0 shows the traffic makes it into the interface, but is not actually sent through the tunnel. To work around the issue, the following floating rule may be created:

Action: Block | Quick: Checked | Interface: <select all WAN interfaces> | Direction: out | Address Family: IPv4 | Protocol: Any | Source: Any | Destination: 10.0.0.0/8 (or the relevant subnet)

With this rule in place, states are prevented from being created on the WAN, and hence traffic flows correctly once the child SA is installed.

Actions
Copy link

Also available in: Atom PDF