Unable to forward ICMP traffic using Rawforward feature

[ilanr]

See attached document with configuration and setup details.Kindly help.

SecMon_Test.pdf

[saddepalli]

Hi Ilanr,

Glad that you could successfully build SECMON broker and were able to install broker, agent and EMS. I am trying to understand your setup. Did you install broker and EMS on a VM or on physical machine on bare-metal? It looks like you have installed broker, agent and EMS on the same machine. That should be okay.

It is best if you could install EMS on one VM and broker/agent on application VMs.

It would be nice if you could list down the configuration file and parameter values of each configuration file at the broker/agent side.

Thanks Srini

[bajpairajat]

Hi Ilanr,

As per your setup, you have mentioned in PDF we think you had some problems specifying configurations.

So let's first complete the configurations:

• Secmon Egress interface: eth9

The following information tells plugin servers is listening on mentioned IP/port from which notifications from EMS can be received

• Secmon Plugin Server IP: 192.168.2.214
• Secmon rawforward plugin server port: 3000 [any free port above 1024]
• Secmon netflow plugin server port: 4000 [any free port above 1024]

The following Information is used by Secmon to know where is EMS running:

• EMS Server IP: 192.168.2.214
• EMS Server port: 9082 [this is the default port ]

Now Debugging,

• Check whether packets are going out of interface eth2 or not.
  • Static ARP can be configured for the HW address of eth1. Since after interface is added to DPDK its entries are lost from the routing table and arp table.

Let us know if you face any further problems

Thanks & Regards, Rajat

[saddepalli]

Hi Rajat,

On this "Secmon Egress interface: eth9": I guess this is the interface on which the tools are connected to. Why is it need to be mentioned? Trying to understand the purpose of it. Normally, UDP encapsulated packets would be routed appropriately by Linux kernel. I might be missing something. Please elaborate.

Thanks Srini

[saddepalli]

Hi Ilan,

One more thing I would like to mention is that the raw packets sent by broker to the tools is UDP encapsulated. If you are observing the packets at the tool side, you will not see ICMP in wireshark. You may be seeing UDP packets there?

I remember that VNB supports both sflow packet encapsulation as well as UDP encapsulation. Are both supported in the code now?

Thanks Srini

[ilanr]

Hi Srini/Rajat, Thanks for your response.

@Srini: Yes i installed everything in the same machine.I will try to check the same using separate VM. Regarding UDP, yes i understood that part. I was looking for udp traffic in the wireshark not ICMP. I dont see sflow configuration in the code. Only two options, Rawforward and Netflow.

@Rajat: I was able to get it to work once when i rebooted the machine and configured the agent based on your response.After fresh configuration I saw raw udp packets on eth10 interface in which the payload is icmp packet. I left it for few minutes and then when i came back it did not work.I could not see udp packets on eth10 anymore.

Here is the latest configuration on agent side,

SecMon egress interface: eth9 SecMon plugin server IP: 192.168.2.214 SecMon rawforward plugin server port: 3000 SecMon netflow plugin server port: 4000 EMS server IP: 192.168.2.214 EMS server port: 9082 EMS server scope: Scope1 Interface to be bound to DPDK: eth1

Saw following message in the syslog file,

Aug 2 00:31:38 ubuntu SecMonAgent[9313]: calling init function... Aug 2 00:31:38 ubuntu SecMonAgent[9313]: calling receive_data function... Aug 2 00:31:38 ubuntu SecMonAgent[9313]: ERROR:RAWFORWARD bind failed Aug 2 00:31:38 ubuntu SecMonAgent[9313]: ERROR:RAWFORWARD server can't able to start** Aug 2 00:31:39 ubuntu SecMonAgent[9313]: calling config function... Aug 2 00:31:39 ubuntu SecMonAgent[9313]: calling send_packet function... Aug 2 00:31:39 ubuntu SecMonAgent[9313]: path = /opt/secmon/plugins

I already tried doing everything fresh after reboot, but that did not help. Anyother pointers how to debug this issue?

1) I have some basic doubt about dpdk. Once I configured NIC in dpdk mode, i could not see that interface in ifconfig. How can i assign ip address in this situtation?

2) Is there any way to get statistics from SecMon Agent for number of processed packets or some thing?

Again, thanks for your help.

[bajpairajat]

Hi Srini,

You are right, we don't require sending entity IP address to send UDP packets to peer entity that is by default handled by Linux Kernel. Value of "SecMon Egress Interface" option was used by component which we have removed while back. We will update the scripts and configurations files to match those changes. Thanks for pointing it out.

Thanks & Regards, Rajat

[bajpairajat]

Hi Ilanr,

As per your setup I think one of three things which might be causing the problem.

1. Static ARP entry of interface binded to DPDK is dropped. You can basically check ARP entry, if it’s dropped you have to add it again.
2. When you left the Machine. You left the VMs up and running or you closed them. If you have closed them then you have to start SecMon Agent using installer script again. Just configure and run steps.
3. Looking at syslog, It seems one of plugin server was unable to start. It might be possible that some other service is using that port. Please check if is there SecMon Agent instance running already when you are starting new instance of SecMon. If yes then you have to close that process.

Now move to two doubts you are having.

1. When you bind interface to DPDK it doesn’t have access to Linux Kernel stack. So when you run “ifconfig” command which fetch entries from Linux Kernel. It shows interface which have access to Linux Kernel stack. That’s why you don’t see interface inside “ifconfig” command output. They have MAC addresses but they don’t have IP addresses.
2. We have debug logs inside SecMon but for that you have to build SecMon with “SECMON_DEBUG_LOGS” flag. Building with logs enabled step is not currently added in installer script.

Let us know if you face any other problems.

Thanks & Regards, Rajat

[ilanr]

Hi Rajat,

Question related to DPDK interface. When i use this script vnb_components_installer.sh, i had to configure Interface to be bound to DPDK.

Questions: 1) Is there any way to simply take the traffic from regular linux ip interface instead of dpdk interface? 2) Is it possible to take traffic from multiple interface and apply scope and forward to remote? Ex: eth1, eth2 -> Scope1(FilterICMP) -> Rawforward(Send to Remote)

Thanks for your help in advance. Regards, Ilan

[ssaras2x]

Hi Ilan,

1. To provide data acceleration it was chosen that SecMon would operate on dpdk interfaces only.
2. At architecture level traffic was to be directed towards the ingress port of SecMon. So traffic from different sources can be directed towards SecMon and this particular use case was never needed. So it has not been tested that SecMon receives packets from multiple interfaces. But it should work with rawforward plugin.

regards, saurabh

[ilanr]

Hi Saurabh,

Thank you for the response that really helps. Is there any limit for number of SecMon agents? What is the maximum number of agents that you have tested? Do you see any scalability issues if we run lot of secmon agents?

Regards, Ilan

[saraswatsaurabh]

Hi Ilan,

It has been tested with only one SecMon agent but if there is memory and cores then multiple instances can also be launched.

regards, saurabh