Traffic from a Virtual System in VSX Cluster to Security Management Server is dropped with "Local interface address spoofing" log
||Gaia, SecurePlatform 2.6
|Platform / Model
SmartView Tracker logs show that traffic sent from a Virtual System (in VSX Cluster) to Security Management Server is dropped with "Local interface address spoofing".
Traffic capture on Virtual System and VSX Cluster Member shows that traffic from a Virtual System is sent with Source IP address that belongs to cluster Internal Communication Network (known as "Funny IP").
Kernel debug on Virtual System ('
fw ctl debug -m fw + xlate') shows that connection from a Virtual System to Security Management Server is sent with Source IP address that belongs to cluster Internal Communication Network - without being NATed behind IP address of VSX Cluster:
fw_xlate_ha_match_epilog: destination is a MGMT machine. not performing cluster hide;
There are several scenarios which can cause this traffic drop:
Show / Hide cause
The VSX Cluster is configured with Non-Dedicated Management Interface, and Virtual System tries to communication directly with Security Management Server.
Refer to VSX Administration Guide (R75.40VS, R76, R77, R80.20):
Chapter "VSX Architecture and Concepts" - section "Management Interface" - sub-section "Non-Dedicated Management Interface"
VSX supports non-DMI deployments primarily to provide backward compatibility with legacy deployments. When configuring a non-DMI deployment, you can define remote management connections only via a Virtual Switch or Virtual Router. Remote management connects via a Virtual System are not supported.
Show / Hide cause
The routing architecture of the environment, is causing the traffic from the VS towards the Management server to go through a different VS, which is resulting in the traffic drop.
Example of the traffic flow:
VS1 --> Router --> VS2 --> Router --> Management server.
In the above example, the traffic from VS1 will leave using the internal IP of VS1, and once arriving to VS2, it will be dropped by "local interface address spoofing".
Note: To view this solution you need to