Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KM1895
Participant

traffic to standby node is dropped by anti spoofing

 

hi,

 

i have a situation, where some traffic towards a standby node in a cluster is dropped by anti spoofing.

ICMP and SNMP is being dropped by anti spoofing,

The traffic is being sent over vpn, and there are about 10-15 other locations with this set up, and it works just fine there.

Not sure if this is a version bug, it is running r80.20 with no jumbo. Other locations are mainly r80.30 and .40, with a few r80.10 and r77.30.

 

fw ctl set int fwha_forw_packet_to_not_active has been set to 1 on both cluster members, and i can access the standby node on ssh without any issue, its just the other traffic being dropped. Traffic to the active node works just fine.

 

Has anyone seen anything similar before, and have any valuable input?

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Am I understanding correctly that ICMP from an IP is getting dropped on anti-spoofing but SSH from the same IP is allowed?
That sounds like a bug.
I would ensure you have the latest recommended Jumbo Hotfix first.
If the problem still persists, raise a TAC case.

KM1895
Participant

hi,

 

The icmp and snmp comes from the same address, and is dropped by antispoofing. The ssh is from another address, but that kinda proves the forward to not active parameter is working.

What i find really weird, is that i did some more troubleshooting today, and while the smartconsole logs clearly states antispoofing and drop, this never shows up on the cluster members when i do fw ctl zdebug drop on both of them.

 

Im starting to lean towards some kind of bug here, and we are in the planning process of doing an upgrade to R80.40, which will hopefully solve this issue.

0 Kudos
the_rock
Authority
Authority

Could you please attach a screenshot of the drop or output from fw ctl zdebug command? I think that would be helpful in trying to figure out why this is happening.

Andy

0 Kudos