Default_Access_Rule

Frequently Asked Questions
Locked
Peter
Posts: 620
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Default_Access_Rule

Post by Peter » 22 Aug 2008, 13:27

This FAQ applies to:
  • Clavister CorePlus™ & cOS Core all versions

Question:
I have alot of "Default_Access_Rule" events in my logs, what is the cause of this?

Answer:
Basically "Default_Access_Rule" is a routing problem. The Receive interface has received a packet from a source IP that is NOT routed on this interface. The action for this is dropped by Default_Access_Rule.

Example:

We have 2 Interfaces named Lan and Dmz with the following routes:

Route Lan 192.168.10.0/24
Route Dmz 192.168.20.0/24

Now as an example i move a PC behind the Dmz interface and place it behind the Lan interface without changing the IP to the correct one, the logs will be filled with events that look something like this:
  • RULE: id=06000051 rev=1 event=ruleset_drop_packet action=drop rule=Default_Access_Rule recvif=Lan srcip=192.168.20.100 destip=224.0.0.22 iphdrlen=24 ipproto=IGMP ipdatalen=16 type=34 maxresp=0 groupaddr=0.0.0.1

    ARP: id=00300049 rev=1 event=invalid_arp_sender_ip_address action=drop rule=Default_Access_Rule recvif=Lan hwsender=00-0c-23-2c-30-4a hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-0c-29-2c-30-4a srcip=192.168.20.100 destenet=00-00-00-00-00-00 destip=192.168.20.1
And the reason is that since 192.168.20.100 is not routed on the Lan interface it will be dropped by the Default_Access_Rule.

Troubleshooting:
Troubleshooting Default_Access_Rule is usually pretty simple as it is ALWAYS a kind of routing problem. Either from the client(s)/server(s), switches, routing tables etc etc. The main problem is that we have received a packet on this interface that is NOT routed there. Your best friend here is the logs, they will immediately tell you which interface the packet was received on and from which IP. If we look at the example above we clearly see that we have received a packet from an IP address that is not routed on that interface. For a clear view of the routing table simply type "routes" in the remote console.

Another good "tool" to troubleshoot problems with Default_Access_Rule is the ping simulation described in the following article: viewtopic.php?f=8&t=3401

Locked