Cluster code drops packets that were forwarded by SecureXL on Medium path (PSL, QoS, VPN accelerated packets).
Flow of events:
- First packet from Client to Server is always forwarded by SecureXL to FireWall.
- Since Virtual MAC (VMAC) mode is enabled, packet's destination MAC address is changed.
SecureXL SIM debug ('sim dbg -m drv + pkt routing
') would show:
;[cpu_N];[SIM...]dst mac: 00:1c:7f:YY:YY:YY <--> src mac: XX:XX:XX:XX:XX:XX;
- Packet undergoes full inspection.
- If connection is accepted, then FireWall offloads this connection (as accepted) to SecureXL.
- The return traffic from Server to Client is processed by SecureXL.
- If the involved packet must go through Medium path (PXL/QoS/VPN), then SecureXL must forward it to FireWall.
Since Virtual MAC (VMAC) mode is enabled, packet's source MAC address is changed.
SecureXL SIM debug ('sim dbg -m drv + pkt routing
') would show:
;[cpu_N];[SIM...]dst mac: XX:XX:XX:XX:XX:XX <--> src mac: 00:1c:7f:ZZ:ZZ:ZZ;
- Cluster code drops this packet because internal destination MAC Address does not match the VMAC address of incoming interface.