[ScreenOS] What does 'set flow mac-cache mgt' do?

  [KB17664] Show Article Properties


Summary:

This article explains the purpose of the set flow mac-cache mgt command.

Symptoms:
Problem: User cannot manage backup firewall in Active/Passive NSRP environment

Cause:

In some Active/Passive NSRP environments, the backup firewall needs to be managed. The source IP address of the PC managing the firewall is looked up via the default route, if the source IP is in a different subnet other than the IP of the subnet used to manage the firewall. The default route is active on the master firewall. Therefore, on the backup firewall a reverse route lookup will fail; thus the backup cannot be managed.

Solution:
Issue the command set flow mac-cache mgt on the backup firewall. It will cache the source MAC address when the packet reaches the firewall after the reverse route lookup fails.  It will send the reply packet to that MAC address; that is to say that it 'sends it back where it came from'.

Example command output:

SSG550-> get flow
flow action flag: 0094
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets is not set
flow change tcp mss option for outbound vpn packets is not set
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Allow dns reply pkt without matched request : NO
Check TCP SYN bit before create session & refresh session only after tcp 3 way handshake : YES
Check TCP SYN bit before create session : NO
Check TCP SYN bit before create session for tunneled packets : YES
Enable the strict SYN check: NO
Use Hub-and-Spoke policies for Untrust MIP traffic that loops on same interface
Check unknown mac flooding : YES
Skip sequence number check in stateful inspection : NO
ICMP path mtu discovery : NO
ICMP time exceeded : NO
TCP RST invalidates session immediately : NO
Force packet fragment reassembly : NO
flow log info: 0.0.0.0/0->0.0.0.0/0,0
flow initial session timeout: 20 seconds
flow session cleanup time: 2 seconds
early ageout setting:
high watermark = 100 (256064 sessions)
low watermark = 100 (256064 sessions)
early ageout = 2
RST seq. chk OFF
MAC cache for management traffic: OFF
Fix tunnel outgoing interface: OFF
session timeout on route change is not set
reverse route setting:
clear-text or first packet going into tunnel: prefer reverse route (default)
first packet from tunnel: always reverse route (default)
Close session when receive ICMP error packet: YES
Passing through only one ICMP error packet: NO

SSG550-> set flow mac-cache mgt

SSG550-> get flow
flow action flag: 0094
flow GRE outbound tcp-mss is not set
flow GRE inbound tcp-mss is not set
flow change tcp mss option for all packets is not set
flow change tcp mss option for outbound vpn packets is not set
flow change tcp mss option for bi-directional vpn packets is not set
flow deny session disabled
TCP syn-proxy syn-cookie disabled
Log dropped packet disabled
Allow dns reply pkt without matched request : NO
Check TCP SYN bit before create session & refresh session only after tcp 3 way handshake : YES
Check TCP SYN bit before create session : NO
Check TCP SYN bit before create session for tunneled packets : YES
Enable the strict SYN check: NO
Use Hub-and-Spoke policies for Untrust MIP traffic that loops on same interface
Check unknown mac flooding : YES
Skip sequence number check in stateful inspection : NO
ICMP path mtu discovery : NO
ICMP time exceeded : NO
TCP RST invalidates session immediately : NO
Force packet fragment reassembly : NO
flow log info: 0.0.0.0/0->0.0.0.0/0,0
flow initial session timeout: 20 seconds
flow session cleanup time: 2 seconds
early ageout setting:
high watermark = 100 (256064 sessions)
low watermark = 100 (256064 sessions)
early ageout = 2
RST seq. chk OFF
MAC cache for management traffic: ON
Fix tunnel outgoing interface: OFF
session timeout on route change is not set
reverse route setting:
clear-text or first packet going into tunnel: prefer reverse route (default)
first packet from tunnel: always reverse route (default)
Close session when receive ICMP error packet: YES
Passing through only one ICMP error packet: NO

Note:  This command only affects 'management' traffic and has no effect on 'pass-through' traffic. Cached MAC will be preferred even if there is an active return route. See the following command: 'debug flow basic' with 'set flow mac-cache mgt'. An active default route is also present.


****** 669172.0: <idp2/mgt> packet received [52]******  
ipid = 22787(5903), @6de1a870
packet passed sanity check.
flow_decap_vector IPv4 process
mgt:10.222.14.179/55338->10.219.33.140/22,6<Root>
no session found
flow_first_inline_vector: in <mgt>, out <N/A>
existing vector list 2-6349ffe4.
create a self session (flag 0x1306), timeout=1800sec.
flow_first_install_session======>
handle cleartext reverse route
cache src mac in session for reverse direction   <-- MAC is getting cached for the return traffic
flow got session.
flow session id 1000055
flow_main_body_vector in ifp mgt out ifp N/A
flow vector index 0x2, vector addr 0x6349ffe4, orig vector 0x6349ffe4
post addr xlation: 10.222.14.179->10.219.33.140.
packet is for self, copy packet to self
copy packet to us.
****** 669172.0: <Self/self> packet received [44]******
ipid = 24500(5fb4), @6cf874e4
flow_self_vector2: send pack with current vid =0, enc_size:0
processing packet through normal path.
packet passed sanity check.
flow_decap_vector IPv4 process
self:10.219.33.140/22->10.222.14.179/55338,6<Root>
existing session found. sess token 5
flow got session.
flow session id 1000055
flow_main_body_vector in ifp self out ifp mgt
flow vector index 0x2, vector addr 0x3400770, orig vector 0x3400770
skip ttl adjust for packet.
post addr xlation: 10.219.33.140->10.222.14.179.
packet send out to 0c861099d52c (cached) through mgt

SSG550-> get route ip 10.222.14.179
Dest for 10.222.14.179
--------------------------------------------------------------------------------------
trust-vr : => 0.0.0.0/0 (id=23) via 10.219.33.129 (vr: trust-vr)
Interface mgt , metric 1
nsisg2000-> get route id 23
route in trust-vr:
------------------------------------------------
id: 23
IP address/mask: 0.0.0.0/0
next hop (gateway): 10.219.33.129
preference: 20
metric: 1
description:
outgoing interface: mgt
vsys name/id: Root/0
tag: 0
flag: 24000040/00100011
type: static
Redistributed to:
status: active (for 7 days 18 hours 2 minutes 49 seconds)   <-- active reverse route
Related Links: