topic Re: VSX configuration output interface in Firewall and Security Management

VSX configuration output interface

ahmed_bousta — Tue, 05 Mar 2019 10:53:20 GMT

output of interface vsx :

hello evry body

can someone explain to me why i have difference IP in output between the two commande in the same FW For the same interface alos

in the same CHASSIS

when i use show configuration i see this output for the interface eth3-01.403

set interface eth3-01.403 state on
set interface eth3-01.403 mtu 1500
set interface eth3-01.403 ipv4-address 192.168.196.66 mask-length 28

and when i use show interface eth3-01.403 i see the different IP .

show interface eth3-01.403
state on
mac-addr 00:4c:7f:85:c3:9c
type vlan
link-state not available
instance 35
mtu 1500
auto-negotiation Not configured
speed 10G (eth3-01)
ipv6-autoconfig Not configured
duplex full (eth3-01)
monitor-mode Not configured
link-speed Not configured
comments
ipv4-address 10.126.111.45/27
ipv6-address Not Configured

Re: VSX configuration output interface

Kaspars_Zibarts — Tue, 05 Mar 2019 12:10:35 GMT

192.168.196.0 is your internal communications network, see from VSX admin guide:

Internal Communication Network
The internal communication network is a virtual network that is required for ClusterXL environments, in addition to the synchronization network. The internal communication network is invisible to external networks and lets cluster members communicate and recognize the state of the environment.
VSX assigns an IP address to the internal communication network during the cluster creation process. This eliminates the need to manually assign an IP address to each cluster member:
IPv4 address: 192.168.196.0, netmask: 255.255.252.0 (A range of four class C networks).
IPv6 address and netmask: FD9A::1FFE:0:0:0/80
You can modify the default IP address using the Gateway Cluster Properties > Cluster Members page of the VSX cluster object, but only before creating Virtual Systems. Once Virtual Systems have been created, the IP range of the internal communication network cannot be modified.
Note: To avoid overlapping IP addresses, before creating any virtual devices, make sure the default IP address range of the Internal Communication network is not used anywhere else in the external network

so you shouldn't worry too much about it unless your own internal real networks overlap with that range

Re: VSX configuration output interface

ahmed_bousta — Tue, 05 Mar 2019 16:29:14 GMT

thank you but i can't ping from the Ip that in configuered on smartdashbord 10.126.111.105

when i ping the interface

ping 10.126.111.105
PING 10.126.111.105 (10.126.111.105) 56(84) bytes of data.
From 192.168.196.194 icmp_seq=2 Destination Host Unreachable
From 192.168.196.194 icmp_seq=3 Destination Host Unreachable
From 192.168.196.194 icmp_seq=4 Destination Host Unreachable
From 192.168.196.194 icmp_seq=6 Destination Host Unreachable

and on the smartview traker i see the 192.168.196.194 as source .

Re: VSX configuration output interface

Maarten_Sjouw — Tue, 05 Mar 2019 21:58:46 GMT

Is the machine you do the ping on the master for this VS, are you in the correct VS while doing this ping?

To find out which VSLS member each VS is active on you can run the following commands in expert:

vsenv 0

vsx stat -v

cphaprob stat

The vsx stat command will show you the names and VS number of each VS, cphaprob will show you the active / standby / backup state of each VS for each member in a cluster.

Re: VSX configuration output interface

Kaspars_Zibarts — Wed, 06 Mar 2019 08:50:10 GMT

Additionally source may be NATed to the real IP, we had a discussion before but didn't get to conclusion why does it sometimes use internal comms as a source and sometimes NATs it, here's an example from two different VSes with different results in the log

Re: VSX configuration output interface

Maarten_Sjouw — Wed, 06 Mar 2019 08:58:26 GMT

In this case the actual IP was shown in his ping response as that is the interface IP that reports the Host Unreachable:

From 192.168.196.194 icmp_seq=6 Destination Host Unreachable

What is even more confusing is that the range the interface is in does not comply with the network of the pinged host:

ipv4-address 10.126.111.45/27 and 10.126.111.105

So if they are not in the same network why does it try to access the host directly, this can only be when the host is on another interface than the interface mentioned, which also complies with the different IP that we see in the first post .66 and .196 in the ping post.

Re: VSX configuration output interface

ahmed_bousta — Wed, 06 Mar 2019 09:21:21 GMT

i'm in the correct VS . and i try to ping from both active/standby. but i can't ping the self interface from the vs

from outside i can ping the IP 10.126.111.105 .

but when i ping from vs i can't ping other equipements from the VS.

Re: VSX configuration output interface

Kaspars_Zibarts — Wed, 06 Mar 2019 09:41:06 GMT

You will need to supply full details Ahmed so we can see all IPs, errors etc

Re: VSX configuration output interface

ahmed_bousta — Wed, 06 Mar 2019 10:39:08 GMT

a take an exempl for the one vlan i have the same issue for all valn

as you can see on smartdashbord i can see this ip for this interface .

show interface eth3-01.405
state on
mac-addr 00:5c:7c:95:d5:2d
type vlan
link-state not available
instance 33
mtu 1500
auto-negotiation Not configured
speed 10G (eth3-01)
ipv6-autoconfig Not configured
duplex full (eth3-01)
monitor-mode Not configured
link-speed Not configured
comments
ipv4-address 10.126.111.12/27
ipv6-address Not Configured
ipv6-local-link-address Not Configured

______________

and for show configuration command i see

set interface eth3-01.405 mtu 1500
set interface eth3-01.405 ipv4-address 192.168.196.98 mask-length 28

--------
in my netwok i don't want this ip to be reacheable

ping 192.168.196.98
PING 192.168.196.98 (192.168.196.98) 56(84) bytes of data.
64 bytes from 192.168.196.98: icmp_seq=1 ttl=64 time=0.021 ms
64 bytes from 192.168.196.98: icmp_seq=2 ttl=64 time=0.010 ms
64 bytes from 192.168.196.98: icmp_seq=3 ttl=64 time=0.011 ms
64 bytes from 192.168.196.98: icmp_seq=4 ttl=64 time=0.011 ms

:33> ping 10.126.111.12
PING 10.126.111.12 (10.126.111.12) 56(84) bytes of data.
From 192.168.196.98 icmp_seq=2 Destination Host Unreachable
From 192.168.196.98 icmp_seq=3 Destination Host Unreachable

show route

-------------
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive

C 10.126.111.0/27 is directly connected, eth3-01.405

-------------

i can ping the reel ip fro outside

Re: VSX configuration output interface

Maarten_Sjouw — Wed, 06 Mar 2019 10:51:54 GMT

This is normal behavior, it is a virtual IP and cannot be pinged from the machine itself.

Re: VSX configuration output interface

ahmed_bousta — Wed, 06 Mar 2019 10:56:12 GMT

thank you very much i do same check for an other VS working fine and i see the same result we can't ping a virtual ip from the VS