Support Center > Search Results > SecureKnowledge Details
Some IPv6 pings are lost through ClusterXL High Availability with IPv6 Technical Level
Symptoms
  • Some IPv6 pings are lost in the following IPv6 topology:
    Host_1 on Net_1 --- ClusterXL High Availability with IPv6 --- Host_2 on Net_2
    
    where:
    • IPv6 address of Host_1 is NATed to an IPv6 address on Net_2
    • IPv6 address of Host_2 is NATed to an IPv6 address on Net_1


  • Kernel debug ('fw ctl debug -m fw + ipv6 drop') on cluster members shows that ICMPv6 "Neighbor Advertisement" (Type 136) packets are dropped:
       [-- Stateful VM outbound: Entering (...) --]; 
    ;Before VM: <dir 1, IPv6_Address_of_Active_Member.0 -> Real_IPv6_Address_of_Target_Host.136 IPP 58> (len=...) ICMP protocol=3a, type=88, code=0 (ifn=...) (first seen) (looked up) ; 
    ......
    ;fw_handle_first_packet: Rulebase returned ACCEPT; 
    ......
    ;fwconn_key_init_links: Creating links (outbound). One way links=0, Replies from any=0;
    ;fwconn_key_set_links_outbound: create link srs_i <dir 0, Real_IPv6_Address_of_Target_Host.136 -> IPv6_Virtual_IP_of_Cluster.0 IPP 58> -> <dir 1, IPv6_Address_of_Active_Member.0 -> Real_IPv6_Address_of_Target_Host.136 IPP 58>(0x6); 
    ......
    ;h_slink: link already exists; 
    ;fwconn_key_set_link: failed to set the link (-3);
    ......
    ;FW-1: fwconn_key_set_links_outbound: fwconn_set_link(srs_i) failed <dir 0, Real_IPv6_Address_of_Target_Host.136 -> IPv6_Virtual_IP_of_Cluster.0 IPP 58> -> <dir 1, IPv6_Address_of_Active_Member.0 -> Real_IPv6_Address_of_Target_Host.136 IPP 58> ;
    ......
    ;FW-1: fwconn_key_init_links: Failed to set server-side links;
    ;FW-1: fw_conn_post_inspect: fwconn_key_init_links failed. Dropping packet;
    ......
    ;fw_log_drop_ex: Packet proto=58 IPv6_Address_of_Cluster_Member.X -> Real_IPv6_Address_of_Target_Host.Y dropped by fw_conn_post_inspect Reason: fwconn_key_init_links (OUTBOUND) failed;
    ......
    ;IP Protocol 58;
    ;fw_filter_chain: fw_conn_post_inspect returned action DROP;
    ;fw_filter_chain: Final switch, action=DROP;
    ;After  VM: ...
    ;VM Final action=DROP;
    
Cause

ICMPv6 "Neighbor Advertisement" message (response to ICMPv6 "Neighbor Solicitation" message sent by the Host before replying to the Echo Request) is dropped by the Security Gateway due to link collision in Connections kernel table (id 8158). The Echo Request times out while the source Host is waiting for the address of the target Host to be resolved.

By design, in ClusterXL High Availability mode, ICMPv6 "Neighbor Advertisements" messages between the local networks are sent out of the cluster with Source IP address of the Active cluster member.

As the same time, periodic cluster ICMPv6 "Neighbor Advertisement" messages, which advertise Cluster VIP address to all the local networks, are created with the same 'srs_i' link on the outbound. As a result, a link collision occurs.


Solution
Note: To view this solution you need to Sign In .