5.27. LAN side traffic is seen on the Steelhead appliance

If the list of Current Connections shows TCP sessions, either optimized or pass-through, and they are coming from and going to the same IP subnet which is defined on the LAN side, then there is something wrong with either the switches or with the subnet mask definitions on the hosts.

5.27.1. IP subnet and Subnet masks mismatch

If the TCP session shows up for only one host on the network, checking the IP subnet and subnet mask on that host would be the first step to make sure that it matches the configured IP subnet and subnet mask as on the router.

Figure 5.200. Running ipconfig on a Windows machine to check the subnet mask

C:\>ipconfig

Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix . :
    IP Address . . . . . . . . . . . : 10.0.1.1
    Subnet . . . . . . . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . . . . : 10.0.1.9

C:\>

Figure 5.201. Running ifconfig on a Unix machine to check the subnet mask

[~] edwin@t43>ifconfig bge0
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
	inet 10.0.1.1 mask 255.255.255.0
        ether d4:9a:20:c2:52:0e
        inet6 fe80::216:41ff:fe53:6b26%bge0 prefixlen 64 scopeid 0x1 
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active

5.27.2. Switch related issues

Normally a switch knows which MAC addresses are behind a physical port and it will forward the Ethernet frames to there: You will not see these packets on the Steelhead appliance.

If however the switch does not know where a MAC address is, it will forward it to out via all physical ports. The reason it doesn't know where a MAC address is can be for a couple of reasons:

  • The host which has sent out that Ethernet frame has the MAC address for that IP address hard coded in its MAC table.

  • The MAC table on the switch is full and it cannot learn any new MAC address to port mappings.

The way to troubleshoot this would be to take a short capture of a TCP session on the Steelhead with the link layer details:

Figure 5.202. Tcpdump capture for a LAN side TCP conversation

SH # tcpdump -ni lan0_0 -le -c 10 host 10.0.1.1 and host 10.0.1.5
08:12:56.776625 d4:9a:20:c2:52:0e > 00:0e:b6:42:f8:98, ethertype IPv4 (0x0800), length 82: \
     10.0.1.1.59623 > 10.0.1.5.80: Flags [.], ack 13, win 65535, options [nop,nop,TS val 1 \
    821865 ecr 1813898], length 0
08:12:56.777495 d4:9a:20:c2:52:0e > 00:0e:b6:42:f8:98, ethertype IPv4 (0x0800), length 82: \
     10.0.1.1.59623 > 10.0.1.5.80: Flags [.], ack 1445, win 65535, options [nop,nop,TS val \
     1821865 ecr 1813898], length 0
08:12:56.778494 d4:9a:20:c2:52:0e > 00:0e:b6:42:f8:98, ethertype IPv4 (0x0800), length 82: \
     10.0.1.1.59623 > 10.0.1.5.80: Flags [.], ack 2877, win 65535, options [nop,nop,TS val \
     1821865 ecr 1813898], length 0
08:12:56.778561 d4:9a:20:c2:52:0e > 00:0e:b6:42:f8:98, ethertype IPv4 (0x0800), length 82: \
     10.0.1.1.59623 > 10.0.1.5.80: Flags [.], ack 4309, win 65535, options [nop,nop,TS val \
     1821866 ecr 1813898], length 0

As can be seen, the MAC addresses are the ones expected. Also note that this traffic is only coming from one host, the one with IP address 10.0.1.5.

The next step would be check the switch if it knows where to send these MAC addresses to. On a Cisco switch this command is show mac address-table.

Figure 5.203. Check the MAC address table

SWITCH # show mac address-table
          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
[...]
d49a.20c2.520e
   1    d49a.20c2.520e    DYNAMIC     Fa0/3
[...]
SWITCH # show mac address-table | i d49a.20c2.520e
   1    d49a.20c2.520e    DYNAMIC     Fa0/3
SWITCH # show mac address-table | i 000e.b642.f898
SWITCH #

So it knows where to find the MAC address of d4:9a:20:c2:52:0e, but not where the MAC address of 00:0e:b6:42:f8:98 is located. And therefore the packet to 00:0e:b6:42:f8:98 gets forwarded to all ports.

The next step would be to find out why the switch doesn't know about the destination MAC address.