Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Robert_Ellis1
Contributor

Cloudguard Cluster not receiving traffic

We are experiencing an issue with a HA Cloudguard Cluster

The cluster is in the standard, templated configuration

Traffic targeting the front-end Azure Load Balancer is never seen on either the active or non-active cluster member

For example, using this :

 fw monitor -e 'accept dport=8080;' 

on both cluster members, then sending packets to the front-end IP address of the front-end Load balancer on port 8080, we see absolutely no activity

We have a support ticket running and our support partner are making noises about a problem with the cluster-vip not following to the correct place when a failover occurs. CP are investigating, but the test above shows absolutely no traffic, even when the cluster-vip is associated with the active member VM,

We have Logging configured on every rule in the Access Policy; the test connections are never logged

Any ideas?

thanks

0 Kudos
2 Replies
Robert_Ellis1
Contributor

 

fw ctl zdebug -m cluster cloud on the active member 

@;11565788;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: sending reply to 168.63.129.16 on eth1 (2);
@;11565788;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: TCP flags 16 ACK ;
@;11565788;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: ignoring non SYN packet;
@...

@;11565821;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: ignoring non SYN packet;
@;11565835;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: TCP flags 17 ACK FIN ;
@;11565835;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: ignoring non SYN packet;
@;11565835;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: TCP flags 194 SYN ECE CWR ;
@;11565835;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: sending reply to 168.63.129.16 on eth1 (2);
@;11565835;[cpu_1];[fw4_0];fwha_handle_cloud_probe_request: TCP flags 16 ACK ;

fw ctl zdebug -m cluster cloud on the standby member

@;5652146;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;
@;5652172;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;
@;5652197;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;
@;5652223;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;
@;5652236;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;
@;5652288;[cpu_1];[fw4_0];fwha_cloud_should_process_probe: not replying to cloud probing request in state STANDBY;

However when I check the metrics of the front-end load balancer, the DATA PATH AVAILABILITY is consitently carrying a value of 100.  Does this seem right?

0 Kudos
Vladimir
Champion
Champion

@Robert_Ellis1 , apologies if I am not seeing the whole picture here (simple diagram would be helpful), but is your load balanser supposed to forward inbound traffic coming in on 8080 to CP cluster members on 8080, or is the inbound traffic the load balancer expecting should be coming in on port 80?

0 Kudos