cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Re: MVM scan engine with multiple IP addresses (static routes)

I would expect that with multiple NICs you also have multiple default gateways, so MVM is able to pick up both the settings and would try both gateways.  In this configuration of multiple IP's on one NIC & one default gateway it seems to by pass the logic configured via static routes.  You're correct, it is the former (the source IP address is incorrect)  - infact there really is only one interface.  I have a SR open and have submitted all the pertinent information.  I'll post back here when a resolution has been determined.  Thanks again for your input on this.

Re: MVM scan engine with multiple IP addresses (static routes)

Just to add to the above, although the configuration of multiple default gateways is possible, as far as I am aware (and indeed logically, given that you can only have one default), only one default gateway will be used at any time.  You should really have one default gateway even when using multiple NICs, and if it is the case where configuration of static routes is umanageable on the other interface, you should use dynamic routing protocols. 

Right, from your comments above (sorry if I missed this earlier) "there really is only one interface" and "in this configuration of multiple IPs on one NIC", I assume that you are using VLAN trunking/tagging on one NIC - have you got a default gateway configured on each VLAN interface in this case, and if so, is there any specific reason why this is required?

Message was edited by: dmease729 on 13/06/13 10:37:41 CDT
McAfee Employee jhaynes
McAfee Employee
Report Inappropriate Content
Message 13 of 24

Re: MVM scan engine with multiple IP addresses (static routes)

I'm Jeff Haynes the Manger for WW MVM Tier 3 Support and I have a few comments.

First there can only be one default gateway. Yes Microsoft gets you the ability to shoot yourself in the foot and configure more, but it will not work. The reason is that each default gateway will have a metric of 0 and then the OS will result to the binding order of the NICs, which essentially means that NIC is the real default gateway.

Second the product is designed to use the routing table of the OS. Previous versions of MVM, back in the 5.0 days, didn't honor the routing table for discovery but that was changed years ago. We do not use the Windows TCP stack though (winsock) and have implemented Winpcap, which shouldn't play any role in this. I have lots of customers using static routes on W2K3 and W2K8R2 without any reported issues. That doesn't mean there aren't any. I also wasn't able to reproduce this issue in our lab. My guess is there is something wrong with your routing table, but unless you post the entire table it will be difficult to narrow this down.

Another option would be for you to submit a service request so we can take a look at it.

Jeff Haynes

Manager WW Tier III Support Risk &Compliance

Security Management Business Unit

Re: MVM scan engine with multiple IP addresses (static routes)

Hi Jeff,

Glad to see someone from McAfee jump in on this!  Interesting that others have been able to successfully implement this setup and good to know MVM should be picking up on the local routing table configuration.  I can PM you the routing table in question if you would be able to further assist?  I also already have a SR open for this and have provided all the evidence as outlined above.  I'm having a hard time understanding how this could be a routing configuration issue when sending a ping from the scan engine gives successfull results but MVM shows inactive.  I can see in the packet captrues it's using the incorrect source IP address... similar if I were to run ping -S [ip-address not able to reach target (primary IP)] this would not be successfull but a ping with no options is as it picks up on the secondary IP address and the directive as per the static routes.

Message was edited by: edburns on 6/14/13 10:44:12 AM CDT
McAfee Employee jhaynes
McAfee Employee
Report Inappropriate Content
Message 15 of 24

Re: MVM scan engine with multiple IP addresses (static routes)

I agree that having work is an anomaly that I'd like to explain. Its always possible that you are running into a bug that most people aren't seeing. That's why my team pointed this post out to me.   What is the SR number for the case you have logged?

Jeff Haynes

Manager WW Tier III Support Risk &Compliance

Security Management Business Unit

Re: MVM scan engine with multiple IP addresses (static routes)

Thanks Jeff really appreciate the help!  The SR # is 3-3099196243.

Re: MVM scan engine with multiple IP addresses (static routes)

Just in case anybody else comes across this post, I have just seen the following whilst perusing the latest KBs:

https://kc.mcafee.com/agent/index?page=content&id=KB78940&actp=LIST

Re: MVM scan engine with multiple IP addresses (static routes)

I believe I'm running into a very similar issue. My SR 4-4124068277 was closed because they said it was our network config....but I'm still not so sure.

I'll give as much detail as I can.  This is a DMZ scan engine with two NICs.  The default gateway is on the "internal" NIC and I have setup static routes for the external IP space.  When I first boot the appliance the ARP table for the external interface looks like this:

Interface: xxx.xxx.162.116 --- 0xd

  Internet Address      Physical Address      Type

  xxx.xxx.160.1         xx-xx-xx-xx-ac-51     dynamic

  224.0.0.2             xx-xx-xx-xx-00-02     static

  224.0.0.10            xx-xx-xx-xx-00-0a     static

  224.0.0.22            xx-xx-xx-xx-00-16     static

  224.0.0.252           xx-xx-xx-xx-00-fc     static

With the 160.1 address being the gateway specified in the static routes for external IP space.

If I run a discovery on a single external IP while the ARP table looks like this, it works correctly.  The traffic is routed through the 160.1 (ac-51) gateway as specified by the static route.  BUT, if I schedule and run a discovery that adds additional entries to the arp table for the same 160.0/22 subnet the scanner will start sending traffic to the wrong gateway.

For example, after running a discovery the arp table looks like this:

Interface: xxx.xxx.162.116 --- 0xd

  Internet Address      Physical Address      Type

  xxx.xxx.160.1         xx-xx-xx-xx-ac-51     dynamic

  xxx.xxx.160.26         xx-xx-xx-xx-6d-d6     dynamic

  xxx.xxx.160.50         xx-xx-xx-xx-4e-1f     dynamic

  224.0.0.2             xx-xx-xx-xx-00-02     static

  224.0.0.10            xx-xx-xx-xx-00-0a     static

  224.0.0.22            xx-xx-xx-xx-00-16     static

  224.0.0.252           xx-xx-xx-xx-00-fc     static

If I then re-run the discovery on the single external IP that I did previously, the scanner will send the traffic to the 160.50 (4e-1f) interface instead of the 160.1 (ac-51) gateway.  If I manually delete the arp entry for 4e-1f it will send it to the 160.26 (6d-d6) interface.  Additionally during this same time I can open a web browser and browse to a web page hosted on the external IP I'm trying to scan and the web browser traffic is directed over the 160.1 (ac-51) interface as expected and the web page loads just fine.

Message was edited by: woodsjw on 11/25/13 11:11:30 AM GMT-08:00

Message was edited by: woodsjw on 11/25/13 11:12:40 AM GMT-08:00
McAfee Employee jhaynes
McAfee Employee
Report Inappropriate Content
Message 19 of 24

Re: MVM scan engine with multiple IP addresses (static routes)

The MVM scan engine relies entirely on the OS to send packets out the right interface. Evans issue was kind of a corner case as he had assigned two IPs to the same NIC. MS doesn't give an API that allows us to query the OS for multiple IPs on the same NIC so we were only seeing one of them. We had to build some logic into the scan engine to make a smarter choice that what the OS was allowing is to make in this case.

One of the things you should focus on is making this all work independent of the MVM product using telnet, tracert and ping. If you can get those to work the MVM product should work.

The fix for Evans issue will be in the next patch. If you open an SR there isn't any reason you can't try the hotfix we have if you are on 7.5.5 to see if that helps.

Jeff Haynes

Re: MVM scan engine with multiple IP addresses (static routes)

Thanks for the response Jeff.  It's the same response Platinum Support gave me on the first ticket, and it makes sense.  Unfortunately, that's not what I'm seeing in testing.  The fact is it does work via ping, telnet etc.  I can have a web page hosted by the IP I'm trying to scan open in a web browser on the scan engine and refresh the page successfully while the scan is running.  Wireshark will show the browser using the correct gateway, and the scanner using the wrong gateway at the same time.  I can reproduce 100% that the scanner tries to communicate using whatever the first dynamic entry (bottom-up) is in the arp cache.  If I reboot the appliance so the only dynamic entry is the correct gateway, or manually delete the other arp cache entries until the correct gateway is the only dynamic entry, the scan succeeds.

I had not done this much testing when I opened the case originally.  Maybe the best thing would be to open a new one since I have something that I can reproduce reliably.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community