- Clavister CorePlus™ & cOS Core all versions
I have alot of "Default_Access_Rule" events in my logs, what is the cause of this?
Basically "Default_Access_Rule" is a routing problem. The Receive interface has received a packet from a source IP that is NOT routed on this interface. The action for this is dropped by Default_Access_Rule.
We have 2 Interfaces named Lan and Dmz with the following routes:
Route Lan 192.168.10.0/24
Route Dmz 192.168.20.0/24
Now as an example i move a PC behind the Dmz interface and place it behind the Lan interface without changing the IP to the correct one, the logs will be filled with events that look something like this:
RULE: id=06000051 rev=1 event=ruleset_drop_packet action=drop rule=Default_Access_Rule recvif=Lan srcip=192.168.20.100 destip=18.104.22.168 iphdrlen=24 ipproto=IGMP ipdatalen=16 type=34 maxresp=0 groupaddr=0.0.0.1
And the reason is that since 192.168.20.100 is not routed on the Lan interface it will be dropped by the Default_Access_Rule.ARP: id=00300049 rev=1 event=invalid_arp_sender_ip_address action=drop rule=Default_Access_Rule recvif=Lan hwsender=00-0c-23-2c-30-4a hwdest=ff-ff-ff-ff-ff-ff arp=request srcenet=00-0c-29-2c-30-4a srcip=192.168.20.100 destenet=00-00-00-00-00-00 destip=192.168.20.1
Troubleshooting Default_Access_Rule is usually pretty simple as it is ALWAYS a kind of routing problem. Either from the client(s)/server(s), switches, routing tables etc etc. The main problem is that we have received a packet on this interface that is NOT routed there. Your best friend here is the logs, they will immediately tell you which interface the packet was received on and from which IP. If we look at the example above we clearly see that we have received a packet from an IP address that is not routed on that interface. For a clear view of the routing table simply type "routes" in the remote console.
Another good "tool" to troubleshoot problems with Default_Access_Rule is the ping simulation described in the following article: viewtopic.php?f=8&t=3401
A second example of default_access_rule that could be slightly confusing is when then source IP is not shown in the log but only a MAC address such as this:
In this scenario it is an ARP broadcast were the IP address is only shown in the data payload. When doing a log query in InControl for instance it may be shown as if the source IP is 0.0.0.0, but the IP address will be shown in the payload. It is a small limitation in how this particular log is presented. A way to see the real source IP would be to either use the arpsnoop command in the CLI or examine a packet capture (PCAP) of the query.Default_Access_Rule;Warning;ARP;invalid_arp_sender_ip_address;drop;G1:003056BD4EC0;FFFFFFFFFFFF;Arp;Failed to verify ARP sender IP address. Dropping