Suspecting cluster issue

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Hi ,

I have 2 physical vsx box and 1 box (VSX2) is down and waiting for RMA . So all VSs are ative in box 1 (VSX1) .

I have one issue there are 2 source servers (a.b.c.d = Server 1 and e.f.g.h = Server 2) and same one destination = i.j.k.l with port = 443 . Here one source server (a.b.c.d) when trying to access destination = i.j.k.l with port 1636 (unsuccess) and one source server =

e.f.g.h when trying to access dst : i.j.k.l with port 1636 (success) . We are getting the logs in firewall from both the source servers

from same rule in "Logs and monitor" but when i run tcpdump for unsuccess source server (a.b.c.d) to dst : i.j.k.l with icmp

in box 1 (VSX1) we are getting only echo reply packet from i.j.k.l > a.b.c.d .

The only difference is that when we run traceroute from source = a.b.c.d(unsuccess) to destination = i.j.k.l 1st hop is switch (different box - Nexus SW1

after that it is dropping which next hop is firewall interface cluster ip ) and when we run traceroute from source = e.f.g.h(success) to destination = i.j.k.l (it covers all path 1st hop is switch different box - Nexxus SW2 from switch next hop is same firewall interface cluster ip).

1. Checked the route from the source servers to dst : i.j.k.l point to same next hop .

2. Check the reverse route also from i.j.k.l to (a.b.c.d) & (e.f.g.h) both are same .

3. Checked the route from the switch boxes (SW1 and SW2) point to same next hop ip i.e (cluster ip of interface of checkpoint fw)

4. Destination server is connected interface.

5. Source servers are able to pingable from firewalls particular VS

6. Source server (a.b.c.d) is not able to ping destination (i.j.k.l) but source server (e.f.g.h ) is able to ping dst : 1.j.k.l .

7. Same rule is present in firewall for both the source servers to dst with icmp and 1636 port.

8. 2nd box of Firewall got down just nearly the issue started .

9. Some time when run debug command of kernel found "instance is fully utilized " and box cpu is reaching like fwk6 - 88-90%

and fwk5 (70% = all communication is going through this VS 5).

Does anyone have any idea pls suggest !