I'm trying to figure out a strange case when we are able to catch traffic towards VSX internal subnet in different part of network.
I have a VSX VSLS cluster. Multiple virtual systems are connected to the same virtual switch, which is connected to normal network terminated by router. Router has default route out and here we can see the bottleneck. I can see traffic following traffic 0.0.0.0 -> 192.168.196.96 (UDP) 8116 going out of my network via that router.
I started to search why. According is the source IP 0.0.0.0 fine for CCP traffic because it does not care about it. However, I am confused from the destination. I use Internal VSX cluster network 192.168.196.0/22 which is default setup. If I check the interface configurations in CLISH I can see that was divided to /28 networks for the interfaces and some internal IPs were assigned there (multiple times for same interfaces, but it is correct according sk110345 - Identical IP addresses from VSX "Internal Communication Network" are assigned to interfaces that belong to different Virtual Systems).
So I expected to see communication of CCP on broadcast or particular addresses but I see it towards 192.168.196.96 – which is /28 subnet IP and not assigned to particular interface. There are send FWHA_MY_STATE messages there for example. Funny thing is that this traffic blocking stealth rule in the policy.
I found the same results on multiple all my VSX clusters on R77.30 and on one running on R77.10. Therefore, it seems to be regular thing. All clusters are fully synchronized and fine.
Do you know why is it communicate this way? I was not able to find it anywhere. You can see FW monitor result from one of clusters in attachment.
P.S. – I’ll ask support of course as well.