One for oldskool IPSO heads.
Migrating from a cluster of old IP appliances to newer IP appliance models running IPSO 6.2 and R77.30.
Manually built the configuration of the newer models including all Interfaces, ARPs, VRRP.
No changes to the configuration or software versions have been applied so the only difference should be the physical firewalls.
The process of cutting over:
Remove older cluster NIC cable
Plug network NIC cables in to newer
Reset SIC on both devices
Push policy
The process work great apart from one issue.
Remote access clients which are given a Office Mode IP, authenticated correctly but after 16 seconds, receive 'reconnecting...' status which times outs and does not reconnected.
Attempting the again we get the same issues, authentication successful and then 16 secs 'reconnecting...'
I have been able to replicate this in a LAB (running Gaia) and believe I have resolved it by adding the Office Mode IP range as a static route out of the external interface.
Please note the live cluster (older models) does not have this route, however, when I receive netstat -rn or review the forwarding table with remote users connecting I can see indevidual host routes created as each user connects.
Whereas Voyager - Monitor > Route only shows me connected and static routes (not individual host routes, netstat> [IP of Office Mode host] unkn 30 [Default Gateway] dest 871 70 eth1c0).
I feel that there is something like a missing kernel parameter which injects this host routes.
Please also note there is not a summarised route for the office mode IP which would require a more specific route to the external. So the office mode should be hitting the Default gateway (external route).
Can anyone please confirm why is this route needed on my new cluster and not on the current older?
why are the host routes not dynamically created on the new newer cluster?