topic Re: Cluster Load sharing issue in Firewall and Security Management

Cluster Load sharing issue

VIKASH_GIRI — Fri, 20 Sep 2024 13:23:43 GMT

Hi,

I am using R81.20 with JHF-take 65 for my FW1 and FW2. I made cluster.

While enabling the Load balance , I am not able to reach global dns 8.8.8.8 from both Gateway.

on HA we are able to reach global dns.

Attached some snap for reference.

Cphaprob stat output

Ping global dns

Re: Cluster Load sharing issue

PhoneBoy — Fri, 20 Sep 2024 19:30:04 GMT

What do you see with a tcpdump when trying this?

Re: Cluster Load sharing issue

the_rock — Sat, 21 Sep 2024 00:29:40 GMT

We definitely need more info. As Phoneboy advised, run tcpdump, fw monitor, try ip r g 8.8.8.8. Can you also send us output of route command from expert mode?

What does traceroute show? Network unreachable is super generic error that can mean multiple things. Could be interface issue, default gateway problem, route.

Best,

Andy

Re: Cluster Load sharing issue

Chris_Atkinson — Sun, 22 Sep 2024 01:17:07 GMT

What switches do you have and how is the multicast/IGMP/arp config?

Re: Cluster Load sharing issue

the_rock — Sat, 21 Sep 2024 04:17:23 GMT

Valid point Chris.

Re: Cluster Load sharing issue

VIKASH_GIRI — Sat, 21 Sep 2024 07:19:01 GMT

i hvnt taken tcpdump , will post on Monday .

Re: Cluster Load sharing issue

VIKASH_GIRI — Sat, 21 Sep 2024 07:49:03 GMT

we are using Aruba core switches 8360V2 and we have configure MLAG. all VLAN configured on Core switches .

Gateway side we hv done the Bond configuration on both GW.

I hv attached my setup diagram below , also i forget to mention that i am using Ipsec blade and mobile blade

Re: Cluster Load sharing issue

the_rock — Sat, 21 Sep 2024 10:58:07 GMT

I have bunch of colleagues who deal with Aruba constantly (I personally dont as much), but I always hear them talk about igmp snooping. Maybe something you can verify if its enabled. Obviously, if you have multicast traffic on your network, that needs to be enabled, otherwise, probably not.

Andy

Re: Cluster Load sharing issue

Chris_Atkinson — Mon, 23 Sep 2024 09:59:29 GMT

I'm not sure the bonds are so relevant here but you can check to ensure the hashing mode aligns.

Per the sk article I referenced above Load-sharing cluster mode isn't compatible with all vendors switches, you may need to implement some changes.

Re: Cluster Load sharing issue

the_rock — Tue, 24 Sep 2024 04:42:48 GMT

Hey @VIKASH_GIRI

Were you able to get any traction on this issue?

Best,

Andy

Re: Cluster Load sharing issue

VIKASH_GIRI — Wed, 25 Sep 2024 07:49:53 GMT

HI,

Its running setup so not able to do any troubleshooting , i will get time on weekend only . will keep you posted.

Re: Cluster Load sharing issue

VIKASH_GIRI — Wed, 25 Sep 2024 07:57:19 GMT

Hi,

I hv one query ,i hv gone through some documents from checkpoint that Load sharing will not work when Ipsec and Mobile blade enable...is it true? or ?

Re: Cluster Load sharing issue

Chris_Atkinson — Wed, 25 Sep 2024 09:18:18 GMT

Please see sk101539 for more information, some limitations are version specific.

Also worth mentioning to keep an eye out for ElasticXL with R82 in terms of load-sharing capabilities.

Re: Cluster Load sharing issue

Timothy_Hall — Wed, 25 Sep 2024 13:32:56 GMT

Most L3 routers (not L2 switches) will refuse to cache a multicast MAC address received in an ARP reply so you will probably need to hardcode this on all L3 devices surrounding the gateway.

For your L2 switches, not all switches will handle multicast MAC addresses correctly, and will not consistently forward traffic bound for a multicast MAC to all the proper ports. Once again, hardcoding the multicast MACs at the switch level may be required. To summarize:

MULTICAST MACs = HARDCODING PAIN & SUFFERING

When taking your tcpdumps, make sure to include the -e option so you can see the Layer 2 MAC addresses.