Support Center > Search Results > SecureKnowledge Details
Updates For Anti-Virus/Anti-Bot/Application Control/URL Filtering blades are not working on standby ClusterXL member
Symptoms
  • Updates For Anti-Virus/Anti-Bot/Application Control/URL Filtering blades are not working on standby ClusterXL member.
  • Kernel debug with drop flag (fw ctl zdebug + drop) on active Cluster member shows the following drop:
    dropped by fwpslglue_chain Reason: PSL Reject: failover occurred and connection is marked for reject;
  • "fwha_forw_packet_to_not_active" kernel parameter is set to "1" according to the sk97587, but the issue is still present.
  • Not able to apply sk43807 as only VIP is public, but physical IP addresses of the cluster members are private.
Cause

Environment: Failover Behavior for IPS blade is set to "Prefer Security".

IPS information for most protocols is not synced between the members. For this reason, if a failover occurs, it is more secure to drop this connection rather than keep it.

In other words, when a failover happens between the members, the new active member doesn't have the data the IPS engine collected so far about this connection. If, for example, an attack took place on a certain connection and divided into 4 packets, and 3 were accepted on the first active member. At this point a failover occurs, the new active member will not have the data of the first 3 packets but only receive the 4th packet, hence it will be more secure to terminate the connection rather than keep it alive.


Solution
Note: To view this solution you need to Sign In .