Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

Suspecting cluster issue

Hi ,

I have 2 physical vsx box and 1 box (VSX2) is down and waiting for RMA . So all VSs are ative in box 1 (VSX1) .

I have one issue there are 2 source servers (a.b.c.d = Server 1 and e.f.g.h = Server 2) and  same one  destination = i.j.k.l with port = 443 . Here one source server (a.b.c.d) when trying to access destination = i.j.k.l with port 1636 (unsuccess) and one source server =

e.f.g.h when trying to access dst : i.j.k.l with port 1636 (success) . We are getting the logs in firewall from both the source servers 

from same rule in "Logs and monitor" but when i run tcpdump for unsuccess source server (a.b.c.d) to dst : i.j.k.l with icmp

in box 1 (VSX1) we are getting only echo reply packet from i.j.k.l > a.b.c.d .

The only difference is that when we run traceroute from source = a.b.c.d(unsuccess) to destination = i.j.k.l 1st hop is switch (different box - Nexus SW1

after that it is dropping which next hop is firewall interface cluster ip )  and when we run traceroute from source = e.f.g.h(success) to destination = i.j.k.l (it covers all path 1st hop is switch different box - Nexxus SW2 from switch next hop is same firewall interface cluster ip).

1. Checked the route from the source servers to dst : i.j.k.l point to same next hop .

2. Check the reverse route also from i.j.k.l to (a.b.c.d) & (e.f.g.h) both are same .

3. Checked the route from the switch boxes (SW1 and SW2) point to same next hop ip i.e (cluster ip of interface of checkpoint fw)

4. Destination server is connected interface.

5. Source servers are able to pingable from firewalls particular VS 

6. Source server (a.b.c.d) is not able to ping destination (i.j.k.l) but source server (e.f.g.h ) is able to ping dst : 1.j.k.l .

7. Same rule is present in firewall for both the source servers to dst with icmp and 1636 port.

8. 2nd box of Firewall got down just nearly the issue started .

9. Some time when run debug command of kernel found "instance is fully utilized " and box cpu is reaching like fwk6 - 88-90%

  and fwk5 (70% = all communication is going through this VS 5).

 

Does anyone have any idea pls suggest !

 

 

 

0 Kudos
Reply
2 Replies
Champion
Champion

Contact TAC - VSX is far from easily configurable, and VSLS (i assume you are using) even more...

0 Kudos
Reply
Participant

Hi ,
Problem has been solved the issue is occuring due to duplicate ips configured in 2 VMs after giving free ip in one VM issue resolved .
Thanks ! Sorry for incovenience .
0 Kudos
Reply