Live Head Geek Video Chat: Virtualization Trends & Best Practices. Register Now >>
Search 100,860 posts and 877 resources contributed by 61,822 members or post a topic.

Already Joined? Sign in
help needed - UDP Spoofing on VM not working

Page 1 of 1 (6 items) | RSS

rated by 0 users
Answered (Verified) This post has 1 verified answer | 5 Replies | 3 Followers | 932 Views


2 Posts
Points 6
digeratimaximus replied on Mon, Jun 29 2009 9:44 PM
rated by 0 users

We are trying to use UDP spoofing to forward unaltered syslog events to a SIEM collector. We tried using the RFC 3164 headers first, but there still seems to be some extraneous information added to the messages.

The Kiwi Syslog server is running as a VM on a VMWare ESX server. When using the Kiwi syslog server dialog box, the default adapter is some VPN dialup adapter, the secondary choice is actually the VMWare adapter. The Kiwi server has been running successfully with the current configuration for a while, collecting events from Windows servers via SNARE and Cisco ASA FW and FWSMs.

When we try to check the box for UDP spoofing and select the VMWare adapter, we receive an error message stating that the default GW MAC could not be resolved. The test also fails, of course.

This seems confusing since we were successfully sending UDP on port 514 earlier in the day with no problems.

What is different with the UDP spoffing packets that could confuse the virtual switch? Can someone describe the actual packet format, and what MAC and IP address are used? I would assume the MAC address would be the MAC of the switch port that the Kiwi host would use to get to the original source host, and the IP address would be "spoofed" to look like the original source host. IS this a correct assumption?

If so, wouldnt the host IP address be associated with two separate switch ports in the bridging table? 1 for the upstream port to the actual location, and 1 for the port that is spoofing the address?

Answered (Verified) Verified Answer


118 Posts
Points 1,092
SolarWinds Employee
Answered (Verified) Kuz replied on Thu, Oct 8 2009 8:31 PM
rated by 0 users
Verified by MarieB

Hi aliendan,

Thanks for the feedback.  We're very much aware that this is a priority bug for people, and acknowledge it as an issue in the current version (9.0) of Kiwi Syslog Server.  It is our intention to have this issue fixed in a forthcoming release, although I can't comment on when exactly that will be.

If possible, can you please raise a support ticket, so we can track it back to you as soon as a fix is available?
http://www.solarwinds.com/support/

For internal folks, this issue is already being tracked as TT#960.

If you could mention TT#960 in your support ticket, that would help in getting the fix to you.

Kind Regards,
Mike Kuzman.

 

Mike Kuzman - Lead Software Developer
Kiwi Syslog Server - Kiwi Syslog Web Access - SolarWinds Log Forwarder for Windows - Orion Core
SolarWinds |  network management simplified

  • | Post Points: 21

All Replies


118 Posts
Points 1,092
SolarWinds Employee
Answered (Not Verified) Kuz replied on Thu, Jul 2 2009 4:14 AM
rated by 0 users
Suggested by Kuz

The key difference between normal UDP syslog sending and the UDP packet spoofing option, is that the packet spoofing option creates an entire Ethernet II Frame from scratch and sends it from the selected adapter.  In order to do this, Kiwi Syslog Server needs to fill in the MAC address of the destination (a required part of the frame) - so that the IP packet can be routed by the network to the recipient device.

The error message " Unable to send custom packet: Cannot determine MAC address of destination, or the default gateway MAC address for the selected Network Adapter" means that (for whatever reason) Kiwi Syslog Server was unable to obtain the MAC address of either the destination or the default gateway (in the case of the destination being on a different subnet).  Kiwi Syslog Server's normal behaviour in this instance is to Query the ARP table for the MAC address, and if not found; Send and ARP request, populating the ARP table, and thereby obtaining the MAC address (for the gateway). 

Mike Kuzman - Lead Software Developer
Kiwi Syslog Server - Kiwi Syslog Web Access - SolarWinds Log Forwarder for Windows - Orion Core
SolarWinds |  network management simplified

  • Post Points: 3

3 Posts
Points 7
snakethejake replied on Thu, Jul 30 2009 7:52 PM
rated by 0 users

I am having this same issue.  I have verified in the ARP table that the MAC for the Gateway is there and valid and have even added a static entry for the IP address and MAC of the other server.

In my case both the Kiwi Syslog server and the server I'm forwarding to are in VMs on ESX 3.5.  Anyone have any more ideas?  Syslog is a perfect candidate for virtualization and this would be really nice to have working since we use Kiwi as our central repository . . . . but then forwarding to other systems as needed is key.

Thanks.

  • | Post Points: 3

118 Posts
Points 1,092
SolarWinds Employee
Kuz replied on Thu, Jul 30 2009 8:29 PM
rated by 0 users

Hi snakethejake,

We've recently discovered that this is a bug with Kiwi Syslog Server (that we don't have a workaround for currently).  The bug happens when Kiwi Syslog Server tries to determine the Gateway IP address for the selected adapter.  This call fails, and so the MAC address of the Gateway cannot be determined either.  It's something that we are aware of, and it is on the list of bugs to fix in a forthcoming release.

Mike Kuzman - Lead Software Developer
Kiwi Syslog Server - Kiwi Syslog Web Access - SolarWinds Log Forwarder for Windows - Orion Core
SolarWinds |  network management simplified

  • | Post Points: 3

47 Posts
Points 357
aliendan replied on Wed, Oct 7 2009 9:44 AM
rated by 0 users

This is a big bug. Is there any update to when this will be fixed?

  • | Post Points: 3

118 Posts
Points 1,092
SolarWinds Employee
Answered (Verified) Kuz replied on Thu, Oct 8 2009 8:31 PM
rated by 0 users
Verified by MarieB

Hi aliendan,

Thanks for the feedback.  We're very much aware that this is a priority bug for people, and acknowledge it as an issue in the current version (9.0) of Kiwi Syslog Server.  It is our intention to have this issue fixed in a forthcoming release, although I can't comment on when exactly that will be.

If possible, can you please raise a support ticket, so we can track it back to you as soon as a fix is available?
http://www.solarwinds.com/support/

For internal folks, this issue is already being tracked as TT#960.

If you could mention TT#960 in your support ticket, that would help in getting the fix to you.

Kind Regards,
Mike Kuzman.

 

Mike Kuzman - Lead Software Developer
Kiwi Syslog Server - Kiwi Syslog Web Access - SolarWinds Log Forwarder for Windows - Orion Core
SolarWinds |  network management simplified

  • | Post Points: 21
Page 1 of 1 (6 items) | RSS

© 2003 - 2010 SolarWinds, Inc. All Rights Reserved.

Who is SolarWinds?

SolarWinds is rewriting the rules for how companies manage their networks. Guided by a global community of network engineers, SolarWinds develops simple and powerful network management software and network monitoring software for networks of all sizes. SolarWinds also offers a network certification program to become a SolarWinds Certified Professional (SCP).

What is thwack?

thwack, SolarWinds online community site, was designed by network engineers, for network engineers. thwack is a vibrant, growing community of more than 30,000 IT pros who share a passion for technology.

Explore Resources, Answers, Templates, and Advice

Download Free Networking Tools

Learn More About SolarWinds Products