jkmathew77
IS-IT--Management
I think I have a pretty good idea of the culprit in the "poison IP address" mystery. I followed some packets through our network and learned that for some reason, some packets are simply ignored (or discarded) by the PIX firewall.
The PIX is supposed to be the default gateway between the 10.1.20.XXX network and the Internet. PIX is supposed to provide SIP-aware firewall.
There seems to be some relationship between the originating IP address and its tendency to ignore/discard the packets. It may be that some internal table on the PIX is overflowing, or there may be some other bug or misconfiguration. What I saw was that I could follow packets as they traveled from 10.1.20.XXX devices, through the Router and to the "inside" interface of the PIX. From there, these should have been "NAT'ed" and then sent out on its "outside" interface, where they would be directed onto the T1 line to the outside world.
I did see *SOME* packets being handled correctly. These would properly reappear on the outside interface, and then the replies to those packets would come back to the PIX on its outside interface, have the reverse NAT processing applied and then be sent out of the inside interface and back to the original client (by way of the Router).
However, at the same time, other packets just died after making the hop from the PMR to the PIX. I saw this with both DNS requests and ICMP
("ping"
requests that I was using as tracers through the network.
The treatment of packets by the PIX *SEEMED* to depend on the IP address of the origin of the packet, which would fit well with the observation of "poison IP addresses".
We have been pulling our hairs go try and figure out why this is happening... any ideas?
The PIX is supposed to be the default gateway between the 10.1.20.XXX network and the Internet. PIX is supposed to provide SIP-aware firewall.
There seems to be some relationship between the originating IP address and its tendency to ignore/discard the packets. It may be that some internal table on the PIX is overflowing, or there may be some other bug or misconfiguration. What I saw was that I could follow packets as they traveled from 10.1.20.XXX devices, through the Router and to the "inside" interface of the PIX. From there, these should have been "NAT'ed" and then sent out on its "outside" interface, where they would be directed onto the T1 line to the outside world.
I did see *SOME* packets being handled correctly. These would properly reappear on the outside interface, and then the replies to those packets would come back to the PIX on its outside interface, have the reverse NAT processing applied and then be sent out of the inside interface and back to the original client (by way of the Router).
However, at the same time, other packets just died after making the hop from the PMR to the PIX. I saw this with both DNS requests and ICMP
("ping"
requests that I was using as tracers through the network.The treatment of packets by the PIX *SEEMED* to depend on the IP address of the origin of the packet, which would fit well with the observation of "poison IP addresses".
We have been pulling our hairs go try and figure out why this is happening... any ideas?