This article describes the issue of the inability to pass BFD (Bidirectional Forwarding Detection) echo packets through a firewall in Transparent (Layer2) mode.
The source IP and the destination IP address are the same, as in the snoop output below:
3955304.0: ethernet0/0(i) len=54:0018742e5a80->0064403a1180/0800
192.168.1.1 -> 192.168.1.1/17
vhl=45, tos=c0, id=37011, frag=0000, ttl=255 tlen=40
udp:ports 49152->3785, len=20
If the policy has both the Source and Destination addresses set to
Any, then the packet is passed through the firewall:
set policy id 1 from "V1-Trust" to "V1-Untrust" "Any" "Any" "Any" permit
However, if either the Source or Destination has a defined IP address, then there is no policy match and the packet is dropped.
For example:
set address "V1-Trust" "192.168.1.1" 192.168.1.1 255.255.255.255
set policy id 1 from "V1-Trust" to "V1-Untrust" "192.168.1.1" "Any" "Any" permit
****** 02160.0: <V1-Trust/ethernet0/0> packet received [46]******
ipid = 9625(2599), @2d403910
packet passed sanity check.
packet with vlan 1, vlan-group vlan1, vsd 0
v1-trust:192.168.1.1/49152->192.168.1.1/3785,17<Root>
L2: need flooding
v1-trust:192.168.1.1/49152->192.168.1.1/3785,17<Root>
L2 broadcast(1) to v1-untrust
L2 broadcasets: direct to v1-untrust only
flow_decap_vector IPv4 process
no session found
flow_first_sanity_check: in <v1-trust>, out <v1-untrust>
policy search from zone 12-> zone 11
policy_flow_search policy search nat_crt from zone 12-> zone 11
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.1.1, port 3785, proto 17)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
policy id (320000)
packet dropped, denied by policy
Policy id deny policy, ipv6 0, flow_potential_violation 0
To pass the BFD echo packets through the firewall:
- Set source and destination address in the policy to Any.
- NAT either the source IP or the destination IP, before the packet reaches the firewall.