Support Center > Search Results > SecureKnowledge Details
Traffic distribution inconsistency between Orchestrators and Security Gateways Technical Level
Symptoms
  • TCP out of state drops:
    • TCP packets are dropped on "First packet isn't SYN".
    • TCP state violation.
  • UDP packets are dropped because they were not matched on a rule-base accept rule.
  • Traffic latency.
Cause

Root Cause # 1

Trunk interface, which was introduced in Jumbo Hotfix Accumulator Take 178, is only supported in "General with L4 enabled" distribution mode.

However, the distribution mode was configured to auto-topology (per-port), or L4 distribution mode was disabled.

In order to validate this root cause, do the following. If all of the below apply, proceed to the solution below.

    1. Verify that Trunk interface is configured:
      1. On the Orchestrator's WebUI, non-VLAN interface is attached to the Security Group (e.g., eth2-51 instead of eth2-51.3009).
      2. On the Orchestrator, uplink trunk mode is enabled. Run the following in Expert mode:
          1. # jsont -f /etc/maestro.json -g /uplink_trunk_mode/state
        enabled
            (If it is disabled, the following will appear: "
        disabled
            " or "
        key doesn't exist
            ".)
      3. On the Gateway (gclish/webUI), VLAN interfaces were configured (e.g., eth2-51.3009).

  1. Verify that the Distribution configuration on the Gateway is not "General with L4 enabled". Run the following commands via the Gateway gclish:
    1. show distribution configuration
    2. show distribution l4-mode

Root Cause # 2

Interface distribution mode is not identical on the Orchestrator and on the Gateways.

In order to confirm that there is a traffic distribution mismatch. do the following:

  1. Verify that the Distribution configuration on the Gateway is not "General with L4 enabled". Run the following commands via the Gateway gclish:
      1. show distribution configuration
      2. show distribution l4-mode
  2. Distribution configuration on one of Orchestrator's interfaces is General L4 ('sym_l4' in the configuration file):
    On the Orchestrator, run the following in Expert mode:

# cat /etc/mlx_conf.json | grep sym_l4 | head -n1
"hash_type" : "sym_l4"

      If

sym

    _l4 appears, one of the interfaces is configured with General L4.

Note

    : Only interfaces which belong to the Firewall policy are relevant.

Solution

Solution for Root Cause # 1:

Create the VLAN interfaces on the Orchestrator and attach them to the Security Group.

For example, create eth2-51.3009 and attach it to the relevant Security Group instead of eth2-51.

Note: Beginning in an upcoming Jumbo Hotfix Take, uplink trunk mode will be disabled by default. It will be possible to enable it from the command line.

Solution for Root Cause # 2

This problem was fixed. The fix is included in:

The following workaround is available for previous versions:

Execute the below command in expert mode on the SMO of the relevant Security Groups:

# distutil update

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment