I'm lab'ing up a 80.30 environment in VMWare with two CPs. I started with cluster config in HA mode.
I have a successful green cluster up as reported in UI and CLI (show cluster state/ show cluster members interfaces all). My VIP is responding as well, even when one shuts down.
However I notice these in my system logs and I'm confused:
(In this screenshot, gw-clstmembr-2 is my STANDBY)
The description says "Local Address spoofing"
The interface in question has Anti-Spoofing disabled.
There is also a rule allowing traffic from 10.1.171.0/24 to "gw-cluster" / Service ANY.
The "spoofing" element made me think this is connection tracking traffic however:
1) this is NOT the Sync interface. This is a cluster only interface. Another interface is handling sync.
2) Further google-fu showed tcp/8211 is "Connections between R80 Multi-Domain Security Management Server and Log Server"
... and I'm still confused. Is it trying to send log traffic? Why is it spoofed?