Re: [cisco-ttl] CEF problemi from Serhat Uslay on 2009-05-15 (Cisco Teknik Tartisma Listesi Arsivi)

From: Serhat Uslay <serhat.uslay_at_....>
Date: Fri, 15 May 2009 17:01:34 +1000

Mesut,
Ayni session in devamini iki farkli firewall da goremedim, ayni kaynaktan gelen degisik portlu yeni trafik gidiyor ikinci firewalla zaten sequence numbers da farkli, (asagida degisik renklerle gosterdim !) Yani ayni flow ayni firewall uzerinden akmaya devam ediyor. Belki VakifBank bir den fazla HTTP flow yaratip onlarin ayni firewalldan gelmesini bekliyordur FW NAT yapacagi icin. Bunu Cisco ile bir gorus, ip cef load balancing dan port hashini kaldir, boylece load balancing algoritmasi icine port girmeden sadece source ve destination IP bazinda load balance yaparsan belki problem duzelir. Birde

show ip cef 195.142.247.11 ve show ip cef 195.142.247.10 ciktilarinda
" per-destination sharing" gorebiliyormusun ?

sonuc alirsan haber ver lutfen, iyi calismalar

Serhat

Mesut CAP <mesutcap_at_gmail.com>
Sent by: cisco-ttl_at_yahoogroups.com
13/05/2009 11:15 PM
Please respond to
cisco-ttl_at_yahoogroups.com

To
cisco-ttl_at_yahoogroups.com
cc

Subject
Re: [cisco-ttl] CEF problemi

Merhaba Serhat;Firewallarda diagnose ciktilari asagida. Benim bilgisayarimdan vakifbank internet bankaciliginda islem yaptigim sirada asagidaki loglar üretiliyor. Ayni sessiona ait 2 firewall 'ada paket gidiyor. Cisco'nun dokumanlarinda CEF le alakali bolumlerde ayni flowa ait sessionlar ayni route lari kullanir diyor ama bizde 2 route ta es zamanli kullaniliyor ve banka baglantiyi hakli olarak kapatiyor. Loglarda Firewall-1 de 26 ile baslayan satir numaralari 87 satir numarasi
ile birlikte Firewall-2 ye geciyor, boyle birsey nasil olabilir anlamadim. Source ayni destination ayni flow ayni. Cok ilginc...

Firewall-1 # diagnose sniffer packet mgmt1 'host 10.0.81.47' interfaces=[mgmt1]
filters=[host 10.0.81.47]

35.425041 10.0.81.47.4985 -> 195.142.247.11.443: syn 2622145687 Flow burada basliyor !!
35.425164 195.142.247.11.443 -> 10.0.81.47.4985: syn 278876019 ack 2622145688

35.454684 10.0.81.47.4985 -> 195.142.247.11.443: ack 278878928 .........devam ediyor....

2622157290

61.957198 195.142.247.11.443 -> 10.0.81.47.4985: 279495160 ack 2622157290
61.957688 10.0.81.47.4985 -> 195.142.247.11.443: ack 279496620
61.957701 195.142.247.11.443 -> 10.0.81.47.4985: 279496620 ack 2622157290
61.957711 195.142.247.11.443 -> 10.0.81.47.4985: 279498080 ack 2622157290
61.957721 195.142.247.11.443 -> 10.0.81.47.4985: 279499540 ack 2622157290
61.958367 10.0.81.47.4985 -> 195.142.247.11.443: ack 279501000
61.958387 195.142.247.11.443 -> 10.0.81.47.4985: 279501000 ack 2622157290
61.958400 195.142.247.11.443 -> 10.0.81.47.4985: 279502460 ack 2622157290
61.958410 195.142.247.11.443 -> 10.0.81.47.4985: 279503920 ack 2622157290
61.958421 195.142.247.11.443 -> 10.0.81.47.4985: 279505380 ack 2622157290
61.959041 10.0.81.47.4985 -> 195.142.247.11.443: ack 279505380
61.959059 195.142.247.11.443 -> 10.0.81.47.4985: 279506840 ack 2622157290
61.959071 195.142.247.11.443 -> 10.0.81.47.4985: 279508300 ack 2622157290
61.959082 195.142.247.11.443 -> 10.0.81.47.4985: psh 279509760 ack  en son

sequence numbers
2622157290
61.959375 10.0.81.47.4985 -> 195.142.247.11.443: ack 279508300 61.959712 10.0.81.47.4985 -> 195.142.247.11.443: ack 279509940

Firewall-2 # diagnose sniffer packet mgmt1 'host 10.0.81.47' interfaces=[mgmt1]
filters=[host 10.0.81.47]
87.419471 10.0.81.47.4954 -> 195.142.247.10.80: psh 1221527956 ack 24991464 Bu ayri bir session, DA farkli, source port farkli 87.433458 195.142.247.10.80 -> 10.0.81.47.4954: psh 24991464 ack 1221528666
87.573184 10.0.81.47.4954 -> 195.142.247.10.80: ack 24991972 130.255747 10.0.81.47.4986 -> 195.142.247.11.443: syn 3330305057 Bu ayni SA ama source port farkli ! yani yeni bir session ... 130.255875 195.142.247.11.443 -> 10.0.81.47.4986: syn 500446719 ack 3330305058
130.256083 10.0.81.47.4986 -> 195.142.247.11.443: ack 500446720 130.256326 10.0.81.47.4986 -> 195.142.247.11.443: psh 3330305058 ack 500446720
130.256404 10.0.81.47.4987 -> 195.142.247.11.443: syn 78147496 130.256500 195.142.247.11.443 -> 10.0.81.47.4987: syn 2846954191 ack bu da yeni bir session Source port farkli
78147497
130.256648 195.142.247.11.443 -> 10.0.81.47.4986: ack 3330305267 bir onceki session devami
130.257148 10.0.81.47.4987 -> 195.142.247.11.443: ack 2846954192 130.257361 10.0.81.47.4987 -> 195.142.247.11.443: psh 78147497 ack 2846954192
130.257623 195.142.247.11.443 -> 10.0.81.47.4987: ack 78147706 130.280976 195.142.247.11.443 -> 10.0.81.47.4987: psh 2846954192 ack 78147706
130.281904 10.0.81.47.4987 -> 195.142.247.11.443: psh 78147706 ack 2846954314

130.293715 195.142.247.11.443 -> 10.0.81.47.4986: 500446720 ack 3330305267
130.293726 195.142.247.11.443 -> 10.0.81.47.4986: 500448180 ack 3330305267
130.294254 10.0.81.47.4986 -> 195.142.247.11.443: ack 500449640
130.294358 195.142.247.11.443 -> 10.0.81.47.4986: psh 500449640 ack

3330305267
130.294610 195.142.247.11.443 -> 10.0.81.47.4987: 2846954314 ack 78148415 130.294619 195.142.247.11.443 -> 10.0.81.47.4987: psh 2846955774 ack 78148415
130.295167 10.0.81.47.4987 -> 195.142.247.11.443: ack 2846956151 130.297417 10.0.81.47.4986 -> 195.142.247.11.443: psh 3330305267 ack 500449771
130.297479 195.142.247.11.443 -> 10.0.81.47.4986: ack 3330305449 130.312411 195.142.247.11.443 -> 10.0.81.47.4986: psh 500449771 ack 3330305449
130.313160 10.0.81.47.4986 -> 195.142.247.11.443: psh 3330305449 ack 500449814
130.332046 195.142.247.11.443 -> 10.0.81.47.4986: psh 500449814 ack 3330306115
130.523751 10.0.81.47.4986 -> 195.142.247.11.443: ack 500450515 135.633441 10.0.81.47.4987 -> 195.142.247.11.443: psh 78148415 ack 2846956151
135.670260 195.142.247.11.443 -> 10.0.81.47.4987: ack 78149336 135.671410 195.142.247.11.443 -> 10.0.81.47.4987: psh 2846956151 ack 78149336

135.671795 195.142.247.11.443 -> 10.0.81.47.4987: 2846957599 ack 78149336
135.671883 195.142.247.11.443 -> 10.0.81.47.4987: 2846959059 ack 78149336
135.672263 10.0.81.47.4987 -> 195.142.247.11.443: ack 2846960519
135.672413 195.142.247.11.443 -> 10.0.81.47.4987: psh 2846960519 ack

78149336
135.854855 10.0.81.47.4987 -> 195.142.247.11.443: ack 2846961042 137.416836 10.0.81.47.4986 -> 195.142.247.11.443: psh 3330306115 ack 500450515
137.450109 195.142.247.11.443 -> 10.0.81.47.4986: ack 3330306902 137.485653 195.142.247.11.443 -> 10.0.81.47.4986: psh 500450515 ack 3330306902

137.485871 195.142.247.11.443 -> 10.0.81.47.4986: 500451963 ack 3330306902
137.486520 10.0.81.47.4986 -> 195.142.247.11.443: ack 500453423
137.486624 195.142.247.11.443 -> 10.0.81.47.4986: psh 500453423 ack

3330306902
137.665413 10.0.81.47.4986 -> 195.142.247.11.443: ack 500454060

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya 
da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu 
tutulamazlar.Yahoo! Groups Links






lll 
Zurich is proud to support football as an Official Partner of the Hyundai 
A-League 




----
This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects.
To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.



[Non-text portions of this message have been removed]

Received on Fri May 15 2009 - 10:33:59 CEST

This archive was generated by hypermail 2.2.0 : Fri May 15 2009 - 10:33:59 CEST