If the list of Current Connections shows TCP sessions, either optimized or pass-through, and they are coming from and going to the same IP subnet which is defined on the LAN side, then there is something wrong with either the switches or with the subnet mask definitions on the hosts.
If the TCP session shows up for only one host on the network, checking the IP subnet and subnet mask on that host would be the first step to make sure that it matches the configured IP subnet and subnet mask as on the router.
Figure 5.200. Running ipconfig on a Windows machine to check the subnet mask
C:\>ipconfig Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address . . . . . . . . . . . : 10.0.1.1 Subnet . . . . . . . . . . . . . : 255.255.255.0 Default Gateway. . . . . . . . . : 10.0.1.9 C:\>
Figure 5.201. Running ifconfig on a Unix machine to check the subnet mask
[~] edwin@t43>ifconfig bge0 bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE> inet 10.0.1.1 mask 255.255.255.0 ether d4:9a:20:c2:52:0e inet6 fe80::216:41ff:fe53:6b26%bge0 prefixlen 64 scopeid 0x1 nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseTX <full-duplex>) status: active
Normally a switch knows which MAC addresses are behind a physical port and it will forward the Ethernet frames to there: You will not see these packets on the Steelhead appliance.
If however the switch does not know where a MAC address is, it will forward it to out via all physical ports. The reason it doesn't know where a MAC address is can be for a couple of reasons:
The host which has sent out that Ethernet frame has the MAC address for that IP address hard coded in its MAC table.
The MAC table on the switch is full and it cannot learn any new MAC address to port mappings.
The way to troubleshoot this would be to take a short capture of a TCP session on the Steelhead with the link layer details:
Figure 5.202. Tcpdump capture for a LAN side TCP conversation
SH # tcpdump -ni lan0_0 -le -c 10 host 10.0.1.1 and host 10.0.1.5 08:12:56.776625 d4:9a:20:c2:52:0e > 00:0e:b6:42:f8:98, ethertype IPv4 (0x0800), length 82: \ 10.0.1.1.59623 > 10.0.1.5.80: Flags [.], ack 13, win 65535, options [nop,nop,TS val 1 \ 821865 ecr 1813898], length 0 08:12:56.777495 d4:9a:20:c2:52:0e > 00:0e:b6:42:f8:98, ethertype IPv4 (0x0800), length 82: \ 10.0.1.1.59623 > 10.0.1.5.80: Flags [.], ack 1445, win 65535, options [nop,nop,TS val \ 1821865 ecr 1813898], length 0 08:12:56.778494 d4:9a:20:c2:52:0e > 00:0e:b6:42:f8:98, ethertype IPv4 (0x0800), length 82: \ 10.0.1.1.59623 > 10.0.1.5.80: Flags [.], ack 2877, win 65535, options [nop,nop,TS val \ 1821865 ecr 1813898], length 0 08:12:56.778561 d4:9a:20:c2:52:0e > 00:0e:b6:42:f8:98, ethertype IPv4 (0x0800), length 82: \ 10.0.1.1.59623 > 10.0.1.5.80: Flags [.], ack 4309, win 65535, options [nop,nop,TS val \ 1821866 ecr 1813898], length 0
As can be seen, the MAC addresses are the ones expected. Also note that this traffic is only coming from one host, the one with IP address 10.0.1.5.
The next step would be check the switch if it knows where to send
these MAC addresses to. On a Cisco switch this command is
show mac address-table
.
Figure 5.203. Check the MAC address table
SWITCH # show mac address-table Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- [...] d49a.20c2.520e 1 d49a.20c2.520e DYNAMIC Fa0/3 [...] SWITCH # show mac address-table | i d49a.20c2.520e 1 d49a.20c2.520e DYNAMIC Fa0/3 SWITCH # show mac address-table | i 000e.b642.f898 SWITCH #
So it knows where to find the MAC address of d4:9a:20:c2:52:0e, but not where the MAC address of 00:0e:b6:42:f8:98 is located. And therefore the packet to 00:0e:b6:42:f8:98 gets forwarded to all ports.
The next step would be to find out why the switch doesn't know about the destination MAC address.