Hi ,
I have 2 physical vsx box and 1 box (VSX2) is down and waiting for RMA . So all VSs are ative in box 1 (VSX1) .
I have one issue there are 2 source servers (a.b.c.d = Server 1 and e.f.g.h = Server 2) and same one destination = i.j.k.l with port = 443 . Here one source server (a.b.c.d) when trying to access destination = i.j.k.l with port 1636 (unsuccess) and one source server =
e.f.g.h when trying to access dst : i.j.k.l with port 1636 (success) . We are getting the logs in firewall from both the source servers
from same rule in "Logs and monitor" but when i run tcpdump for unsuccess source server (a.b.c.d) to dst : i.j.k.l with icmp
in box 1 (VSX1) we are getting only echo reply packet from i.j.k.l > a.b.c.d .
The only difference is that when we run traceroute from source = a.b.c.d(unsuccess) to destination = i.j.k.l 1st hop is switch (different box - Nexus SW1
after that it is dropping which next hop is firewall interface cluster ip ) and when we run traceroute from source = e.f.g.h(success) to destination = i.j.k.l (it covers all path 1st hop is switch different box - Nexxus SW2 from switch next hop is same firewall interface cluster ip).
1. Checked the route from the source servers to dst : i.j.k.l point to same next hop .
2. Check the reverse route also from i.j.k.l to (a.b.c.d) & (e.f.g.h) both are same .
3. Checked the route from the switch boxes (SW1 and SW2) point to same next hop ip i.e (cluster ip of interface of checkpoint fw)
4. Destination server is connected interface.
5. Source servers are able to pingable from firewalls particular VS
6. Source server (a.b.c.d) is not able to ping destination (i.j.k.l) but source server (e.f.g.h ) is able to ping dst : 1.j.k.l .
7. Same rule is present in firewall for both the source servers to dst with icmp and 1636 port.
8. 2nd box of Firewall got down just nearly the issue started .
9. Some time when run debug command of kernel found "instance is fully utilized " and box cpu is reaching like fwk6 - 88-90%
and fwk5 (70% = all communication is going through this VS 5).
Does anyone have any idea pls suggest !