Support Center > Search Results > SecureKnowledge Details
"Connections from Data Interface to the Management Interfaces (and Vice Versa)" feature Technical Level
Solution
 These connections are not supported (see SPC-1104 and SPC-1111 in sk148074):
  • Connections that arrive through the Management Interface and are sent out through the Data Interface
  • Connections that arrive through the Data Interface and are sent out through the Management Interface
The feature described in this article, "Connections from Data Interface to the Management Interfaces (and Vice Versa)," resolves those limitations.

Support for this feature starts in R81.10. 

This feature does not have an effect on Data to Data connections or local connections (connections that are established by the Security Gateway).

Introduction

In general, traffic that goes through the Management Interface is not synchronized with the backup Security Gateway Members (SGMs), as packets that go through the Management Interface always arrive at and are handled by the Single Management Object (SMO). Therefore, if backup SGMs are calculated based on DXL, a single failover causes a connection drop if the connection was not properly synchronized with the new SMO beforehand.

The "Connections from Data to Management" feature supports a smart synchronization of these connections with SGMs that may be the new SMO, therefore allowing the connection to be properly handled or corrected by the SMO, and to survive when member failover and site failover occur.

Synchronization

When you enable this feature, Data to Management (and vice versa) connections are synchronized like this:

Connection Flow Type C2S members S2C members
Data to Management Calculated based on the DXL matrix
  • SMO
  • Second active member in the Active Site
  • First active member in the Standby Site
Management to Data
  • SMO
  • Second active member in the Active Site
  • First active member in the Standby Site
Calculated based on the DXL matrix


Example

Suppose you have a dual-site environment with three members on each Site. The active members are:

  • 1_1 [SMO], 1_3, 1_4 (Active Chassis)
  • 2_1, 2_2, 2_3 (Standby Chassis)

Running a Data to Management connection (where the inbound interface is Data and the outbound interface is Management) results in synchronization with these members:

  • C2S members: according to the normal DXL matrix calculation (for example: 1_1, 1_4 and 2_3)
  • S2C members: according to the Data to Management smart synchronization: 1_1 (SMO), 1_3 (the second active member in the Active Site) and 2_1 (the first active member in the Standby Site)

The connection is synchronized with members 1_1, 1_3, 1_4, 2_1 and 2_3.

Toggle Behavior

  • To enable the mechanism on-the-fly, run:
# g_fw -a ctl set int fwha_data_mgmt_connection 1

  • To disable the mechanism on-the-fly, run:
# g_fw -a ctl set int fwha_data_mgmt_connection 0

  • To make the change survive reboot, run:
# g_fw -a ctl set -f int fwha_data_mgmt_connection 1
or
# g_fw -a ctl set -f int fwha_data_mgmt_connection 0

  • To check if the mechanism is enabled, run:
# g_fw -a ctl get int fwha_data_mgmt_connection

Return Values:
1 - mechanism is enabled
0 - mechanism is disabled
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment