Support Center > Search Results > SecureKnowledge Details
Missing dynamic object configuration on ClusterXL standby member causes outage after failover
Symptoms
  • After failover, newly elected active ClusterXL member stops processing traffic.
  • In kernel debug (fw ctl zdebud + drop), traffic is getting dropped by dynamic object rule (any/dynamic > dynamic/any drop).
  • Dynamic routing (OSPF and BGP) neighborship with peers is not formed anymore.
  • zdebug drop might show below drop dropped by fw_first_packet_xlation Reason: Dynamic object is already being resolved
Cause

Dynamic object was defined on the Security Mangement server and policy was installed.
But, the IP range was defined only on the ClusterXL active member.
As soon as the cluster fails over, the traffic starts to drop.


Solution
Note: To view this solution you need to Sign In .