Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dphonovation
Collaborator

Traffic to secondary member of ClusterXL is dropped using VxLan

I have the following:

 

<Site1 ClusterXL> <---------Site2Site IpSec Tunnel ------------> <Site 2 ClusterXL>

Member1-Site1: 10.10.171.2/24                                                    Member1-Site2: 10.20.171.2/24

Member2-Site2: 10.10.171.3/24                                                    Member2-Site2: 10.20.171.3/24

VIP: 10.10.171.1                                                                                VIP: 10.20.171.1

 

 

 

Site 2 Site Tunnel 1 Encryption Domain: 10.11.171.0/24. Site1 has a Cluster VIP here of 10.11.171.1

Site 2 Site Tunnel 2 Encryption Domain: 10.12.171.0/24. Site2 has a Cluster VIP here of 10.12.171.1

 

 

 

Across that IPSEC tunnel I have a Checkpoint Native VxLan interface pointed at back at the opposite cluster:

Member1-Site1: 172.31.0.2/29                                                    Member1-Site1: 172.31.0.5/29

Member1-Site1: 172.31.0.3/29                                                    Member2-Site2: 172.31.0.6/29

VxLan VIP Site1: 172.31.0.1                                                               VxLan VIP Site2: 172.31.0.4

Remote addr: 10.12.171.1                                                                  Remote addr: 10.11.171.1

 

 

I then have a route from Site1: route 10.20.171.0/24 via 172.31.0.4

And a route from Site2 back: route 10.10.171.0/24 via 172.31.0.1

 

This works perfectly. I can reach all hosts on 10.10.171.0/24 or 10.20.171.0/24 from either side - except for traffic headed to the standby member in the ClusterXL on the destination net.

 

 

Can anyone shed light on why this might be the case?

 

 

 

0 Kudos
8 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events