4 Replies Latest reply on Sep 30, 2014 11:23 AM by fitchsoccer342

    CAG troubleshooting with load balancing enabled

    fitchsoccer342

      Trying to see if anyone else has this issue or knows a solution for it.

       

      Basically, we have a CAG within the firewall listing out DNS servers, which works great. The firewall works and picks up the DNS server and allows all internally. HOWEVER, as soon as we enable load balancing on the server, the firewall like dis-regards the DNS servers listed and blocks everything. I've tried adding the DHCP server or default gateway instead of DNS, and exact same issue. As soon as we disable load balancing, it no longer blocks anything on this server.. anyone have any ideas?

        • 1. Re: CAG troubleshooting with load balancing enabled
          greatscott

          Duplicate your DNS CAG. Once you do that, on the duplicated CAG, change the criteria from your DNS entries, to an IP criteria. List the IP's of your load balanced systems. Make sure the CAG contains all the same rules still, then apply the policy to your load balanced systems, if it is already not. Observe if the results change or not.

           

          So basically you will have the two stacked like this:

           

          DNS CAG

          ->rules
          IP CAG

          ->rules

           

          If this doesn't work, you may need to put one or more of these systems into debug logging and get more detail.

          • 2. Re: CAG troubleshooting with load balancing enabled
            fitchsoccer342

            That's definitely worth trying.. but when I create an IP CAG, where you would list the specific IP's of the load balancing servers? I only see DNS/DHCP/WINS/etc. entries in the location options.

             

            I've done the debugging and looking at the FireSvc.log, but doesn't really show anything other than the CAG being applied and being blocked at the CAG rule.

            • 3. Re: CAG troubleshooting with load balancing enabled
              greatscott

              You actually don't list it in the Location tab of the Firewall Group Builder. Just make sure your location status is checked "Enabled" on this page.  Go to the "Network Options" tab. Once there, select the "Any Protocol" radio button, select your media type, then click "New(Local)" and add your IP's here. Click through the rest of the Firewall Group Builder. This effectively creates an IP based CAG.

              • 4. Re: CAG troubleshooting with load balancing enabled
                fitchsoccer342

                greatscott wrote:

                 

                You actually don't list it in the Location tab of the Firewall Group Builder. Just make sure your location status is checked "Enabled" on this page.  Go to the "Network Options" tab. Once there, select the "Any Protocol" radio button, select your media type, then click "New(Local)" and add your IP's here. Click through the rest of the Firewall Group Builder. This effectively creates an IP based CAG.

                Ah got it. I'll have to go through and give that a try. Will let you know.. thanks.