Create a Post
Uwe_Knoetsch
Participant

Incompatibility between CISCO ACI and VSX Cluster in ClusterXL Mode

Hello Community,

we have a two member (13500) cluster with vsx in the clusterXL mode.

Every day at 16:10 they are different connection losts between system's the are connected to cisco aci switch fabrick and the virtual firewall or systems behind the firewall.

What we see: Every day at 16:10 the vsx context standby member try to made a connect to Domaencontroller.
(maybe this is a part of ID-Awareness prozess).

FW-Log.jpg

 

What i have tryed:

Even when I take an ping from the standby member to an system behind the Cisco ACI the ping going out from the standby member with the Cluster vip IP from active vsx member and the mac adress from himself. And that is for the ACI Fabric a problem.

That is a dump from the ping from the standby vsx node to 172.27.100.243, the request going out with the vsx cluster vip.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond2.1062, link-type EN10MB (Ethernet), capture size 96 bytes
10:39:40.385678 IP 172.28.11.81 > 172.27.100.245: ICMP echo request, id 10002, seq 1, length 64
10:39:40.387316 IP 172.27.100.245 > 172.28.11.81: ICMP echo reply, id 10002, seq 1, length 64
10:39:40.491271 IP 172.27.100.245.56565 > 172.24.0.160.microsoft-ds: . ack 3496076707 win 63972 <nop,nop,sack 1 {0:1}>
10:39:41.384858 IP 172.28.11.81 > 172.27.100.245: ICMP echo request, id 10002, seq 2, length 64
10:39:41.386501 IP 172.27.100.245 > 172.28.11.81: ICMP echo reply, id 10002, seq 2, length 64
10:39:42.384879 IP 172.28.11.81 > 172.27.100.245: ICMP echo request, id 10002, seq 3, length 64
10:39:42.386521 IP 172.27.100.245 > 172.28.11.81: ICMP echo reply, id 10002, seq 3, length 64
10:39:42.506806 IP 172.27.100.245.56565 > 172.24.0.160.microsoft-ds: . ack 1 win 63972 <nop,nop,sack 1 {0:1}>
10:39:43.340163 IP 172.27.100.245 > 172.24.136.149: ICMP echo reply, id 29, seq 35061, length 40
10:39:43.360682 IP 172.27.100.245 > 172.24.136.149: ICMP echo reply, id 29, seq 35086, length 40
10:39:43.384916 IP 172.28.11.81 > 172.27.100.245: ICMP echo request, id 10002, seq 4, length 64
10:39:43.386552 IP 172.27.100.245 > 172.28.11.81: ICMP echo reply, id 10002, seq 4, length 64

The ACI Fabric in conversional learning mode is confusing that one IP adress (the Firewall VIP Adress) comming in the Fabric with different MAC Adresses on different ports. Following the connections are disrupted. The ACI Fabric send packets return on sida a (Cluster member A) or side b (Cluster member B) to both firewalls (the active and the standby mamber) is like a slotmaschine.

Has the community any idee?

VMAC is'nt an option, there is also a problem. See
VMAC Mode on R80.10
from
Alexander_Wilke

7 Replies
This widget could not be displayed.