topic Re: Traffic originating from standby VS fails to reach DNS in Firewall and Security Management

Traffic originating from standby VS fails to reach DNS

Kaspars_Zibarts — Thu, 11 Jun 2020 08:44:28 GMT

Have a peculiar problem after introducing Virtual Router on our VSX to interconnect most VSes on that cluster.

If traffic originates from a VS on the standby VSX and it needs to reach another VS (i.e. Identity Sharing on port 15105) or a service that's behind another VS (i.e. DNS for FQDN objects), it will stop dead in it's tracks at the standby VR - I'm assuming VR is not forwarding traffic as it is in standby state. Diagram below might help understanding the issue:

I'm not too sure if anyone else has seen it? And possibly found a solution. I tried to search SKs but did not find anything relevant.

Seems like obvious solution in HA VSX case, would be first forwarding packet from standby VS1 to active VS1, then routing it normally via active VSX. And when packet is returned to active VS1, it would forward it back to originating standby VS1. This way we would resolve both FQDN case and IA publishing.

Currently we have lots of domain alerts in logs from standby VSX:

as well as standby VS that's publishing IDs to other VSes is marked as "failed" in SmartConsole:

Re: Traffic originating from standby VS fails to reach DNS

Wolfgang — Thu, 11 Jun 2020 09:25:38 GMT

@Kaspars_Zibarts

I think the standby instance of the virtual-router on the standby VSX does nothing, did not forwarding any traffic.

This is following virtual-router is only supported with VSX-HA.

If something on the standby node needs to access something behind another VS, the traffic flow has to go over the virtual-router on the active node.

regards

Wolfgang

Re: Traffic originating from standby VS fails to reach DNS

Kaspars_Zibarts — Thu, 11 Jun 2020 10:04:47 GMT

Exactly! That was my question! 🙂 But how do you force a standby VS to communicate to active VR / VS?

Re: Traffic originating from standby VS fails to reach DNS

Wolfgang — Thu, 11 Jun 2020 11:40:23 GMT

@Kaspars_Zibarts are these DNS and PEP connections NATed behind the internal VSX-IP of the VS?

They should leave the system with the "real" IP of the VS. If I remember rightly there was a problem with PEP in ClusterXL and a wrong NAT for the physical node. Maybee the problem is the same here with VSX. But right now I can't found the sk 😞

Wolfgang

Re: Traffic originating from standby VS fails to reach DNS

Kaspars_Zibarts — Fri, 12 Jun 2020 06:52:27 GMT

No, NAT does happen correctly and no internal VSX IPs are used once traffic islis VS. Otherwise it would not work on active VSX either.

Re: Traffic originating from standby VS fails to reach DNS

Jan_Kleinhans — Fri, 03 Jul 2020 06:10:12 GMT

Hi.
Have you found a solution for this problem? We are not using Virtual Routers but have the same problem that the standby VSses cannot reach DNS or other destinations.
Are you using R80.40 ?

Best regards,

Jan

Re: Traffic originating from standby VS fails to reach DNS

Kaspars_Zibarts — Fri, 03 Jul 2020 11:20:33 GMT

Nope. We're on R80.30 T155. But the problem is only present when VR is in the path. Those VSes that have direct physical connection or via virtual switch work ok. So I believe you have uncovered totally different problem on R80.40

Re: Traffic originating from standby VS fails to reach DNS

Kaspars_Zibarts — Sun, 23 Aug 2020 22:32:14 GMT

Interestingly enough the issue was resolved after I installed T215 (from T155)! Not too sure if anyone was still interested, but here you go! 🙂