Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
S_E_
Advisor

sk34180 -Outgoing connections from cluster members

hi

just wondering regarding the sk34180 because we run into the issue in quite a lot of cluster (but not all)

Outgoing connections from cluster members are sent with cluster Virtual IP address instead of member's Physical IP address.
The only 'workaround seems to be to make the modification via GUIdbedit for every cluster. What an effort 😞   And you need to remember it as well when devices changes.

 

But why is this behavior default? I do not understand the use case.


If something happend on a device, I would like to get an snmptrap from the 'broken real device' and not from the Cluster VIP.

I guess the same for services like smtp or "contract_util mgmt" as well

Regards

0 Kudos
3 Replies
the_rock
Legend
Legend

I can try this in the lab later, but it appears guidbedit is ONLY applicable for R77.30 and below, which no one runs any longer (well, I sure hope not lol).

For new versions, it lists this kernel parameter:

By default, the Cluster Hide and Fold is enabled (controlled via the attribute "perform_cluster_hide_fold" in Cluster Object in Security Management Server database).

Value of attribute perform_cluster_hide_fold in Cluster Object controls the following:

  • Whether outgoing connections from cluster members will be hidden behind Cluster Cluster Virtual IP address - i.e., sent with Source IP address of Cluster Virtual IP address, or sent with Source IP address of member's Physical IP address
  • Whether incoming connections sent to Cluster Virtual IP address will be folded to member's Physical IP address, or the Destination IP Address will remain as Cluster Virtual IP address.
Value of
attribute
How connections are Hidden / Folded by Cluster
true ("1")
(default)
  • Outgoing connections from cluster members will be sent with Source IP address of Cluster Virtual IP address (hidden behind Cluster VIP)
  • Incoming connections sent to Cluster Virtual IP address will be folded to member's Physical IP address (in case of VSX cluster, with Destination IP address that belongs to cluster Internal Communication Network)
false ("0")
  • Outgoing connections from cluster members will be sent with Source IP address of member's Physical IP address (in case of VSX cluster, with Source IP address that belongs to cluster Internal Communication Network)
  • Incoming connections sent to Cluster Virtual IP address will not be folded to member's Physical IP address (the Destination IP Address will remain as Cluster Virtual IP address)
0 Kudos
S_E_
Advisor

Hi

Thanks

b.t.w.

We stumbled over the same issue.  I guess the section for R77.30 ins only referring to the database revision control. The SK is slightly misleading. The should state in second section: For R80 or for all...

...

I can try this in the lab later, but it appears guidbedit is ONLY applicable for R77.30 and below, which no one runs any longer (well, I sure hope not lol)....

 

We checked on some devices (> R80.40) and the parameter is always true(default).

But I still do not understand the use case.

is snmp not used by others?

Regards

 

 

0 Kudos
the_rock
Legend
Legend

You are 100% right, I gave feedback on the sk.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events