Have a peculiar problem after introducing Virtual Router on our VSX to interconnect most VSes on that cluster.
If traffic originates from a VS on the standby VSX and it needs to reach another VS (i.e. Identity Sharing on port 15105) or a service that's behind another VS (i.e. DNS for FQDN objects), it will stop dead in it's tracks at the standby VR - I'm assuming VR is not forwarding traffic as it is in standby state. Diagram below might help understanding the issue:
I'm not too sure if anyone else has seen it? And possibly found a solution. I tried to search SKs but did not find anything relevant.
Seems like obvious solution in HA VSX case, would be first forwarding packet from standby VS1 to active VS1, then routing it normally via active VSX. And when packet is returned to active VS1, it would forward it back to originating standby VS1. This way we would resolve both FQDN case and IA publishing.
Currently we have lots of domain alerts in logs from standby VSX:
as well as standby VS that's publishing IDs to other VSes is marked as "failed" in SmartConsole:
| User | Count |
|---|---|
| 14 | |
| 10 | |
| 8 | |
| 6 | |
| 5 | |
| 5 | |
| 3 | |
| 3 | |
| 3 | |
| 3 |
Thu 25 Apr 2024 @ 11:00 AM (CEST)
CheckMates in Russian - Возможности и риски искусственного интеллектаThu 25 Apr 2024 @ 11:00 AM (CEST)
CheckMates in Russian - Возможности и риски искусственного интеллектаThu 02 May 2024 @ 10:00 AM (CEST)
CheckMates Live BeLux: How Can Check Point AI Copilot Assist You?
