Support Center > Search Results > SecureKnowledge Details
60000 / 40000 Appliances - VPN traffic is dropped with "fwha_pkt_is_forwarded_from_other_member, drop;" when VPN Sticky SA is enabled Technical Level
Symptoms
  • VPN traffic does not pass through 60000 / 40000 Appliance when VPN Sticky SA is enabled.

  • Cluster kernel ('fw ctl debug -m cluster + vpn') debug shows:

    ;fwha_vpn_sticky_tunnel_df_forwarding: enc needed for this packet (chain 0x...);
    ;fwha_vpn_get_tunnel_zone: got zone XXX for local_src_ip IP_of_LOCAL_INTERFACE (ifn ...);
    ;fwha_vpn_sticky_tunnel_add_lookup_entry: adding vpn correction entry for <dir 0, SOURCE_IP:SOURCE_PORT -> DEST_IP:DEST_PORT IPP 6> member_id=YYY;
    ;fwha_vpn_sticky_tunnel_df_forwarding: forwarding packet to blade ZZZ;
    ;fwha_vpn_sticky_tunnel_df_forwarding: fwha_pkt_is_forwarded_from_other_member, drop;
    ;fw_log_drop_ex: Packet proto=6 SOURCE_IP:SOURCE_PORT -> DEST_IP:DEST_PORT dropped by fwha_vpn_sticky_tunnel_fwd_chain_h Reason: fwha vpn forwarding failure;
Cause

Chain of events:

  1. VPN traffic arrives at blade SGM "A", which is different from OSP decision function.
  2. OSP decision function reroutes traffic to a different blade SGM "B".
  3. Later in packet processing, it is determined that blade SGM "A" is the sticky SA.
  4. However, the current design is that VPN Sticky SA cannot forward if the traffic was already forwarded from another blade (to prevent forwarding loops).
  5. As a result, the traffic is dropped.

Solution
Note: To view this solution you need to Sign In .