Support Center > Search Results > SecureKnowledge Details
ISP Redundancy probing is not working in ClusterXL
Symptoms
  • SmartView Tracker logs from ClusterXL members with configured ISP Redundancy might show that ICMP Reply packets (to ISP Redundancy pings) are dropped:
    ICMP reply does not match a previous request

  • SmartView Tracker logs from cluster member(s) might show:
    An ISP link has failed; reason: A host is not responding; ISP link: <Name_of_ISP_Link>;

  • Output of "cpstat fw" command on cluster member(s) shows Status "A host is not responding" in the "ISP link table" section (refer to sk40958).

  • Traffic capture on ClusterXL members shows that probing ICMP Request packets are sent from cluster members with Source IP address of Cluster Virtual IP address (i.e., packets are NAT-hidden behind Cluster VIP address).

  • Creating Manual "No-NAT" rules (to not perform Hide NAT behind Cluster VIP) and installing policy does not resolve the issue.

Cause

By default, the Cluster Hide and Fold option is enabled (controlled via the attribute "perform_cluster_hide_fold" in Cluster Object in Security Management Server database).

Value of attribute perform_cluster_hide_fold in Cluster Object controls the following:

  • Whether outgoing connections from cluster members will be hidden behind Cluster Virtual IP address - i.e., sent with Source IP address of Cluster Virtual IP address, or sent with Source IP address of member's Physical IP address
  • Whether incoming connections sent to Cluster Virtual IP address will be folded to member's Physical IP address, or the Destination IP Address will remain as Cluster Virtual IP address.
Value of
attribute
How connections are Hidden / Folded by Cluster
true ("1")
(default)
  • Outgoing connections from cluster members will be sent with Source IP address of Cluster Virtual IP address (hidden behind Cluster VIP)
  • Incoming connections sent to Cluster Virtual IP address will be folded to member's Physical IP address (in case of VSX cluster, with Destination IP address that belongs to cluster Internal Communication Network)
false ("0")
  • Outgoing connections from cluster members will be sent with Source IP address of member's Physical IP address (in case of VSX cluster, with Source IP address that belongs to cluster Internal Communication Network)
  • Incoming connections sent to Cluster Virtual IP address will not be folded to member's Physical IP address (the Destination IP Address will remain as Cluster Virtual IP address)

Solution
Note: To view this solution you need to Sign In .