Active Cluster Member Rejecting Packets to a Non-Active Member (SSL, ICMP, etc..)

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk42695
Technical Level
Product	ClusterXL
Version	All
Platform / Model	All
Date Created	01-Sep-2009
Last Modified	28-Jun-2020

Symptoms

Traffic does not pass through ClusterXL in High Availability mode.
Cluster kernel debug ('fw ctl debug -m cluster + forward') shows:
FW-1: fwha_forw_ssl_handler: Rejecting ssl packets to a non-active member
Kernel debug (fw ctl zdebug drop) shows:
dropped by fwchain_reject_mtu Reason: rejected;

Cause

The fwha_forw_c2s_handler function on the cluster member checks the state of the member, to which the connection should be forwarded, and if the state of that member is not "Active" (e.g., Down, Standby), then the packet is rejected.

Example 1:
;FW-1: fwha_is_c2s_packet: is c2s, orig ip = 0xaaa1501, local IP = 0x315aa0a, proto = 1, dir = 1 ;FW-1: fwha_forw_run: conn_type=4 ;FW-1: fwha_forw_ssl_handler: Rejecting ssl packets to a non-active member(0). The other member state is 0

Example 2:
;FW-1: fwha_is_c2s_packet: is c2s, orig ip = 0xa010902, local IP = 0xc24320a, proto = 1, dir = 1; ;FW-1: fwha_forw_run: conn_type=4 ;FW-1: fwha_forw_ssl_handler: Rejecting ssl packets to a non-active member(1). The other member state is 2;

Note: This is the complete list of possible states:

4 = Active/Active-Attention
3 = Ready
2 = Standby
1 = Initializing
0 = Down/Dead

When the value of kernel parameter fwha_forw_packet_to_not_active is set to 0, the packet forwarding is not done to a non-active member. Instead, a reset packet is sent to the client.

Solution

Note: To view this solution you need to Sign In .