Support Center > Search Results > SecureKnowledge Details
In VSX cluster with VMAC mode, traffic does not pass through VSX Cluster members if SecureXL is enabled Technical Level
Symptoms
  • With SecureXL enabled, traffic does not pass from Virtual Router to Virtual System in the following VSX member topology:

    Network_1 - [(VR)-(VS)] - Network_2
    SecureXL is enabled on both Virtual Router (VR) and on Virtual System (VS).

  • SmartView Tracker does not shows any related drops and VMAC mode is enabled per sk50840.



  • Cluster kernel debug (fw ctl debug -vs VSID -m cluster + select) on the Active VSX cluster member shows:

    FW-1: fwha_select_ip_packet: Packet with vmac address which is not belonging to ifn IF IF_NAME (IF_NUMBER - vmac - VMAC_ADDRESS) - dropping packet;
Cause

SecureXL does not modify the Source and Destination MAC addresses of the packet when it is moved from Virtual Router to Virtual System ("warp jump"). As a result, Virtual System clustering code drops the packet because packet's MAC addresses do not belong to this Virtual System

PPACK is not and does not need to be aware of VMAC, wrp interface connected to virtual router does not have MAC as it loopback device so cluster code should skip VMAC check in such cases.


Solution
Note: To view this solution you need to Sign In .