cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Cluster Upgrade 77.30 to 80.20 with traffic handling problems

Hi @all,

 

yesterday we have try to upgrade a cluster from 77.30 to 80.20.

The connectivity upgrade works fine without any problems. After the upgrade the web servers behind the cluster was not reachable from the Iinternet.

On the tcpdump we can see that the traffic can reach the firewall, but on fw monitor we cannot see any traffic that is handled by the firewall.

Also we don't see any drops in the fw ctl zdebug + drop.

We have also try to change the nat rules to automatic but the problem still exists.

We have revert to prior version 77.30 and everything works again fine.

Has anyone a idea?

0 Kudos
5 Replies
Admin
Admin

Re: Cluster Upgrade 77.30 to 80.20 with traffic handling problems

Providing exactly what you saw on tcpdump and fw monitor might be helpful in answering your question.
0 Kudos

Re: Cluster Upgrade 77.30 to 80.20 with traffic handling problems

hi, i saw only the syn packets on the tcpdump output.
on the fw monitor output was nothing
0 Kudos

Re: Cluster Upgrade 77.30 to 80.20 with traffic handling problems

This problem was identified a couple of weeks ago already, all your inbound NAT is not working.
Before you do the upgrade, type 'fw ctl arp' and you will see all your NAT's will have a MAC address. When you are done with the upgrade do it again, you will see nothing.
Push policy 3 times in total to get them to show up again.
Problem exists in R80.20 and R80.30
Regards, Maarten

Re: Cluster Upgrade 77.30 to 80.20 with traffic handling problems

i see the mac address after the upgrade when i run 'fw ctl arp'
maybe it is a inbound NAT problem and also with the take 91 the problem still exists
0 Kudos
Federico-M
Nickel

Re: Cluster Upgrade 77.30 to 80.20 with traffic handling problems

This happened to us two times in different customers of different kind of traffics, we solved both time by installing JHF Take 87 or 91.

Also solution by Maarten is valid for Proxy ARP, just be sure to add or modify a Proxy ARP entry before pushing policies.

Regards,

0 Kudos