Outgoing connections from Virtual System in VSX cluster are sent with source IP address that belongs to cluster Internal Communication Network instead of cluster Virtual IP address

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk111786
Technical Level
Product	VSX, Quantum Appliances, Quantum Security Gateways
Version	R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10, R81.20
OS	Gaia
Platform / Model	2000, 3000, 4000, 5000, 12000, 13000, 15000, 21000, 23000, Intel/PC, X-Series (EOL), Power-1 (EOL), UTM-1 (EOL), VSX-1 (EOL), IP1280 (EOL), IP2450 (EOL)
Date Created	01-Jun-2016
Last Modified	05-Oct-2022

Symptoms

Traffic capture on Virtual System in VSX cluster shows that outgoing connections are sent with source IP address that belongs to cluster Internal Communication Network (SmartDashboard - open VSX cluster object - go to "Cluster Members" pane - refer to section "Cluster members internal communication network") instead of cluster Virtual IP address.

Kernel debug ('fw ctl debug -m fw + conn vm nat xlate xltrc') on Virtual System in VSX cluster shows for the affected connections:

;fw_xlate_find_all_matches: Found no matching rules for conn < dir 1, Internal_Source_IP:Source_Port -> Dest_IP:Dest_Port IPP N>:; 
;fw_xlate_ha_match_epilog: ha NAT not enabled. not performing cluster hide;
;fw_xlate_match_epilog: no special NAT;
;fw_xlate_match: no match found;
;fwx_get_xlation: no translation: flags: 8;
;fw_xlate_new_conn: no conn translation buffer for conn < dir 1, Internal_Source_IP:Source_Port -> Dest_IP:Dest_Port IPP N>;

Kernel debug on VSX cluster members during a policy installation ('fw ctl debug -m fw + filter') shows that value of attribute perform_cluster_hide_fold is set to "0" - i.e., "false" (refer to sk34180).

Cause

Value of attribute "perform_cluster_hide_fold" in the object of involved Virtual System is set to "false".

Value of attribute perform_cluster_hide_fold in Cluster Object controls the following:

Whether outgoing connections from cluster members will be hidden behind Cluster Cluster Virtual IP address - i.e., sent with Source IP address of Cluster Virtual IP address, or sent with Source IP address of member's Physical IP address
Whether incoming connections sent to Cluster Virtual IP address will be folded to member's Physical IP address, or the Destination IP Address will remain as Cluster Virtual IP address.

Value of attribute	How connections are Hidden / Folded by Cluster
true ("1") (default)	Outgoing connections from cluster members will be sent with Source IP address of Cluster Virtual IP address (hidden behind Cluster VIP) Incoming connections sent to Cluster Virtual IP address will be folded to member's Physical IP address (in case of VSX cluster, with Destination IP address that belongs to cluster Internal Communication Network)
false ("0")	Outgoing connections from cluster members will be sent with Source IP address of member's Physical IP address (in case of VSX cluster, with Source IP address that belongs to cluster Internal Communication Network) Incoming connections sent to Cluster Virtual IP address will not be folded to member's Physical IP address (the Destination IP Address will remain as Cluster Virtual IP address)

Solution

Note: To view this solution you need to Sign In .