Maestro return traffic dropped by other SGM

We have a strange issue where we have a server indirectly attached to a Maestro VSX environment and the VS has a host route for this host. Now when this host pings a specific host on the other side of the VS we see the traffic pass through, lets say SGM 1_2, but we see the return traffic being dropped by SGM 1_4.

With SSH and RDP sessions we sometimes see them completing and working and about 30% of the time also the return traffic is dropped.

The weird thing is that this is only happening between these specific hosts.

Other sessions all seem to work just fine.

Version MHO: R80.20SP JHF 304

Version SGM: R80.30SP JHF 49

Distribution mode: Auto Topology/L4 enabled, however L4 disabled has also been tested, same result.

Regards, Maarten
What's the actual drop reason? No matching rule for return traffic? That is B -> A? It's been couple of months since I touched scalable platform and it was R76SP but feels like flow correction is failing for some reason? Can you manually calculate which SGMs are supposed to be involved? Not too sure though how it looks in R80.. 🙂

The ping reply was dropped with a no corresponding ICMP request and for the other connections we get a out of state packet drop. We had the same idea that for some reason only for this specific pair the flow correction is just not working.

Regards, Maarten
On the environment you mentioned, I did a test where I only allowed 1 SGM to be active, meaning that I disabled all the other SGM's. The traffic was flowing fine without any problems! Once I enabled the other SGM's again, the errors came back.


An example error:

On SGM 1_3 an Echo Request came from server A to server B. In the same second an Echo Reply came from SGM 1_1 that server B to server A that was dropped because of the message "ICMP reply does not match a previous request".


When I changed the Distribution Mode from Auto Topology to Manual General, traffic was flowing fine and the issue was resolved.


Kind Regards,

Eamon Jones


Same issue here on R81 JHF 42.

We set up a new Maestro single-site environment with two 7000 appliances running in Active/Active mode.
Return packets are dropped, even in Active/Down mode via clusterXL_admin down.

Stopping the other SG member via cpstop temporarily fixes the issue.

  • Drop reason for SSH return packets:
    • action:Drop sport:443 ssh_version_2-Protocol-Signature
  • Drop reason for VPN return packets (separate 3rd party VPN server in a DMZ)
    • action:Drop sport:4500 snmp-Protocol-Signature
The drops seem to appear from the other member that is not correctly synced.

Load Balancing / Distribution mode is set to policy (Default).
The VPN symptoms only appear if we change distribution mode on the relavent interface to network (we are doing this because of other Maestro issues).

