6 Replies Latest reply on Jun 30, 2011 4:41 PM by bperez

    Sticky Connections

      Hi Gurus,


      I have a MFE 410F V8.1 with two Internet links.


      My scenario is:


      Interface em0 is and the Lan Router Interface is

      Interface bge0 is and the Lan Router Interface is


      The default gateway of my MFE is


      So, please let me to comment you my issues:


      1. Both Internet links are provided by the same provider and I don´t know what IP address could I monitor in order to configure the ISP redundancy correctly.

      What happens if I don´t configure monitor addresses and I only configure the default and backup routes?


      2. This is the most important item for me right now.

      I have some policies permitting access from Internet to my partners and I´m using Public IP addresses of both Internet Links for it. For instance, for https access from Internet I´m using and for Terminal Server access I´m using

      With other firewall that configuration worked well but with my MFE this is not working. I found the the following log:


      2011-03-21 19:29:35 -0500 f_kernel_ipfilter a_general_area t_nettraffic p_major

      hostname: fw.local event: session end application: <Unknown TCP>

      netsessid: a34244d87ed6f src_geo: CO srcip: srcport: 28220

      srczone: Internet2 protocol: 6 dstip: dstport: 3389

      dstzone: Servidores bytes_written_to_client: 0 bytes_written_to_server: 0

      rule_name: <Pending Application Identification> cache_hit: 0

      start_time: 2011-03-21 19:29:35 -0500


      2011-03-21 19:29:38 -0500 f_kernel a_nil_area t_netprobe p_major

      hostname: fw.local event: TCP SYN/ACK netprobe src_geo: CO

      srcip: srcport: 3389 srczone: Internet2 dst_geo: CO

      dstip: dstport: 28220 protocol: 6 interface: lo7

      reason: Received a SYN/ACK packet that did not match a pending outgoing connection.  This may indicate a scanning attack or routing problem.


      Does MFE not support sticky connections? Any idea in order to solve this issue?


      Thanks in advance.

        • 1. Re: Sticky Connections



          on your first questions - at a time only one ISP connection could be active. Which means that your primary connection will be active if You do not setup a monitor.


          on your second question - You can not use both connections for inbound or outbound traffic. We did our own script that check the MFE default route status and depending on this do some tasks. Imagine MFE knows that is is on failover ISP mode so MFE could alternate its default public IP with a new one. Correct?


          MFE has crontab so anyone could do scripts. At the moment it is not forbiden by the OS



          You have other solution to your second problem too - because the provider is the same he should allow also source IP on your first connection and source IP on second (inveersed). If this is done and provider do not drop such packets as spoof ones your config will work. I suppose right now the traffic that should exit from second connection exits on the first one because of the default route and ISP drop these packets as spoof. You could see it with tcpdump on em0 looking for IP


          Hope this helps.

          Next few days I will post our script. It automates the 'reset default route' process that is at the moment manual.

          • 2. Re: Sticky Connections



            I got the following answer from McAfee support:


            This is calledasynchronous routing and it will work if you:
            1) create a stateless, bi-directional service to use in your rule (may work)
            2) create a route back out your ISP2 interface so this traffic knows to go backout the interface it came in on (will work for sure)

            The best thing to do is number 2. These connections do not work by defaultthrough the firewall, since this is not how routing works in general.


            I´d appreciate if anyone can guide me with an example of configuration.



            • 3. Re: Sticky Connections



              option 2 should work. Could You check it with support how to configure it? I do not know what they mean but I am curious about their answer.



              • 4. Re: Sticky Connections



                This is what you wrote to me:


                We did an easy test, creating a policy allowing terminal server to the IP of the interface em5 (Backup ISP) and redirecting this traffic to an internal host.
                The test was unsuccessful.


                It seems as if the firewall deny this traffic due to the incoming connection goes through an interface and the outgoing packet goes through another different interface.  The McAfee firewall does not support sticky connections?


                I then wrote to you what you mentioned above: this is called asynchronous routing.  You asked for an example so I wrote this to you:


                A routing example:

                Your firewall configuration:
                external IP_1:
                default route:
                external IP_2:
                internal IP:
                web server IP:
                No other routes. (This is important.)


                If a computer with IP comes to your external IP_2 interface ( and gets redirected to (web server) on your internal network, the response from back to will go out your external IP_1 interface ( because that is where your Default Route is.  It will not go back out the interface (IP_2) because you have NO explicit route pointing any traffic going to to some device on the interface.  If you do not have a route for a destination IP or network your traffic will go out the interface that points to your default route.  That's what's happening in your situation.


                What I didn't explictly say was "Since you do not know exactly what IPs are going to arrive over your ISP_2 interface (e.g. they're not all going to be coming from of course) this is not practical in your situation."


                The one thing you could do:  make your ISP_2 router NAT all the connections so they appear to be coming from the router itself.  That way you will always send the return traffic back out the same link it came in on.  You will not see any IPs other than your ISP's router, but this setup will work.


                The firewall simply does not do what you want to do; the feature does not exist on the firewall, unfortunately.


                If you want to request this feature be considered for addition to the firewall you can file a Product Enhancement Request.

                • 5. Re: Sticky Connections



                  Although your solution works (make your ISP_2 router NAT all the connections), the firewall will be a blind point for detecting the attacks source.

                  please keep in mind that we bought a Security Solution!

                  • 6. Re: Sticky Connections

                    I have the same issue with routing, i have three E1 and my need is to route by protocol to a different ISP (I.E: Streaming to internet, VPN, Web Server), i have too an Small McAfee Snapgear UTM 580 and with a functionality of "Policy Routes" is too easy to implement. How is possible in the enterprise firewall i cant do that!, i have been made 1 year ago the PER to integrate that functionality.


                    policy routes.jpg


                    El mensaje fue editado por: bperez on 30/06/11 04:41:33 PM CDT