Support Center > Search Results > SecureKnowledge Details
Unable to establish SIC with the peer member on a Full HA cluster
Symptoms
  • "Failed to connect to Security Gateway" error when attempting to establish SIC with the peer cluster member in Full HA cluster.

  • Kernel debug ('fw ctl debug -m fw + drop') on cluster members shows that TCP traffic between cluster members is dropped:
    fw_log_drop: Packet proto=6 IP_Address_of_Member_A:Source_Port -> IP_Address_of_Member_B:Destination_Port dropped by fw_cluster_ttl_anti_spoofing Reason: ttl check drop

  • At least one of the cluster members already has policy installed on it.

Cause

There is at least one Layer 3 networking device (router) separating the Management interfaces of both cluster members.

When reply packets are sent from one cluster member to another, and Extended Cluster Anti-Spoofing is enabled, the packets are dropped for spoofing, because their TTL is less than 255 and their Source IP address belongs to the cluster member.  


Solution
Note: To view this solution you need to Sign In .