Project

General

Profile

Actions
Copy link

Bug #16366

open

HEARTBEAT are dropped in both directions on SCTP association secondary path

Added by Oliver Thomas about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
24.11
Affected Architecture:

Description

Please see attached:
- setup diagram
- SCTP association design diagram
- rules.debug
- config xml
- packet captures from s1c1, s1c2 and ipsec interfaces

We see that SCTP HEARTBEAT packets are dropped in both directions on the SCTP secondary link after association establishment.
To see this, please see attached captures, where you can see HEARTBEAT packet being sent on secondary path from 10.249.200.153 to 10.251.4.89 in S1C2 interface, but not in IPsec interface (i.e. packet is dropped by the Netgate before being encapsulated onto the IPsec tunnel).
In opposite direction, you can see HEARTBEAT packet being sent on secondary path from 10.251.4.89 to 10.249.200.153 in IPsec interface, but not in S1C2 interface (i.e. packet is dropped by the Netgate before being de-encapsulated and forwarded)
This is despite 'Allow all' firewall rules defined on all interfaces (see rules.debug).
The result is that the SCTP association is established and UP, but the secondary path is INACTIVE.
The SCTP state tracking should recognise a multi-homed association and accept HEARTBEAT packets to and from the secondary IP addresses as well as the primary
Primary and Secondary IP addresses are signalled in SCTP INIT and INIT_ACK chunks during establishment (see pcaps):

INIT chunk from initiator: ===========================================================

IPv4 address parameter (Address: 10.249.200.145)
Parameter type: IPv4 address (0x0005)
0... .... .... .... = Bit: Stop processing of chunk
.0.. .... .... .... = Bit: Do not report
Parameter length: 8
IP Version 4 address: 10.249.200.145 (10.249.200.145)
IPv4 address parameter (Address: 10.249.200.153)
Parameter type: IPv4 address (0x0005)
0... .... .... .... = Bit: Stop processing of chunk
.0.. .... .... .... = Bit: Do not report
Parameter length: 8
IP Version 4 address: 10.249.200.153 (10.249.200.153)

INIT_ACK chunk from responder: ===========================================================

IPv4 address parameter (Address: 10.251.4.88)
Parameter type: IPv4 address (0x0005)
0... .... .... .... = Bit: Stop processing of chunk
.0.. .... .... .... = Bit: Do not report
Parameter length: 8
IP Version 4 address: 10.251.4.88 (10.251.4.88)
IPv4 address parameter (Address: 10.251.4.89)
Parameter type: IPv4 address (0x0005)
0... .... .... .... = Bit: Stop processing of chunk
.0.. .... .... .... = Bit: Do not report
Parameter length: 8
IP Version 4 address: 10.251.4.89 (10.251.4.89)

Files

Download all files
Assoc-Diagram.png (77.5 KB) Assoc-Diagram.png Oliver Thomas, 08/12/2025 08:05 AM
packetcapture-ipsec-filtered-20250811124808.pcap (14 KB) packetcapture-ipsec-filtered-20250811124808.pcap Oliver Thomas, 08/12/2025 08:05 AM
config-bt-rural-ukpc-lab-pw-site-gateway-1.parallelwireless.net-20250811100502.xml (70.8 KB) config-bt-rural-ukpc-lab-pw-site-gateway-1.parallelwireless.net-20250811100502.xml Oliver Thomas, 08/12/2025 08:05 AM
packetcapture-s1c1-filtered-20250811124810.pcap (14 KB) packetcapture-s1c1-filtered-20250811124810.pcap Oliver Thomas, 08/12/2025 08:05 AM
packetcapture-s1c2-filtered-20250811124812.pcap (188 Bytes) packetcapture-s1c2-filtered-20250811124812.pcap Oliver Thomas, 08/12/2025 08:05 AM
rules.debug (12.9 KB) rules.debug Oliver Thomas, 08/12/2025 08:05 AM
Setup-Diagram.png (349 KB) Setup-Diagram.png Oliver Thomas, 08/12/2025 08:05 AM

No data to display

Actions
Copy link

Also available in: Atom PDF