ClusterXL: Accessing Standby member through IPSec VPN
IPSec packets sent to a cluster in ClusterXL HA mode are always decrypted by the Active member. This includes the Standby member's local encrypted connections.
If the Active member would just forward decrypted packets to the Standby, the latter would drop it with the error ""Clear text packet should be encrypted". To prevent this problem, the Active member forwards the Standby member's packets using the ClusterXL Packet Forwarding mechanism. However, some additional configuration may be required, in some cases:
Versions R80.10 and lower:
The flag fwha_forw_packet_to_not_active should be set on both members. To set it on the fly, execute the command below:
# fw ctl set int fwha_forw_packet_to_not_active 1
Refer to sk26202: Changing the kernel global parameters on all platforms to ensure that the modification survives reboot.
Versions R80.20 and higher:
No specific configuration is required, and it is no longer recommended to set the flag fwha_forw_packet_to_not_active.
However, a hotfix is required if running with version lower than R80.20 Jumbo 76.
Refer to sk147493 for more details.