Support Center > Search Results > SecureKnowledge Details
Cluster debug shows "FW-1: fwha_forw_ssl_handler: Rejecting ssl packets to a non-active member"
Symptoms
  • Traffic does not pass through ClusterXL in High Availability mode.

  • Cluster kernel debug ('fw ctl debug -m cluster + forward') shows:

    FW-1: fwha_forw_ssl_handler: Rejecting ssl packets to a non-active member
  • Kernel debug (fw ctl zdebug drop) shows dropped by fwchain_reject_mtu Reason: rejected;

Cause

The fwha_forw_c2s_handler function on the cluster member checks the state of the member, to which the connection should be forwarded, and if the state of that member is not "Active" (e.g., Down, Standby), then the packet is rejected.

Example 1:
;FW-1: fwha_is_c2s_packet: is c2s, orig ip = 0xaaa1501, local IP = 0x315aa0a, proto = 1, dir = 1
;FW-1: fwha_forw_run: conn_type=4
;FW-1: fwha_forw_ssl_handler: Rejecting ssl packets to a non-active member(0). The other member state is 0

Example 2:
;FW-1: fwha_is_c2s_packet: is c2s, orig ip = 0xa010902, local IP = 0xc24320a, proto = 1, dir = 1;
;FW-1: fwha_forw_run: conn_type=4
;FW-1: fwha_forw_ssl_handler: Rejecting ssl packets to a non-active member(1). The other member state is 2;

Note: This is the complete list of possible states:

  • 4 = Active/Active-Attention
  • 3 = Ready
  • 2 = Standby
  • 1 = Initializing
  • 0 = Down/Dead

When the value of kernel parameter fwha_forw_packet_to_not_active is set to 0, the packet forwarding is not done to a non-active member. Instead, a reset packet is sent to the client.


Solution
Note: To view this solution you need to Sign In .