Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
StackCap43382
Participant

vsec Standby Connectivity Issue After r80.40 Upgrade

Hi All,

An Azure VSEC cluster has been upgraded to r80.40 and we are not able to failover between members.

Checking connectivity we are unable resolve DNS on reach any external entity from the standby.

Further investigations show the standby using the sync (eth1) to send it via primary.
The primary is then sending the connection out its public (eth0) and folding behind the cluster address.

Response traffic is being folded back to the correct IP but then routed out of eth0 and oblivion.

Internal Interface: Eth1
External Interface: Eth0
Sync link: Eth1

fwha_forw_packet_to_not_active=0
fwha_cluster_hide_active_only = 1
fwha_silent_standby_mode = 0

SKs:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Before I shove more ports into table.def, anyone else seen this?

 

3 Replies
Data_Center
Explorer

Hi,
Can you kindly share the output of '$FWDIR/scripts/azure_ha_test.py
Both members active&standby 

Thanks,

Noy

StackCap43382
Participant

Fix was eth0 was not configured as SYNC+Cluster in the cluster object so Standby was black holing return traffic pivoting via Active. 

Data_Center
Explorer

Great,

thanks for the update.

0 Kudos
Reply