A customer has two 1060 NGFW appliances working as load balancing cluster and a separate SMC-log server. An architecture illustration is attached. The “balancing node” NODE2 announces its MAC as cluster MAC. One proxy server and two email security appliances (IronPort) make all internet traffic (SMTP., http, https, ftp, dns, icmp) . Proxy server and two email security appliances are at the same VLAN as interface1 of the NGFW . Cluster works in the Unicast Load balancing mode.
First it was notices that there is an email delivery delay. Further investigation shows that the balancing node (NODE2 in our case) arbitrary makes the following. It directs the session reply (or simply reply in case on connectionless protocols) to the NODE1. And NODE1 consider reply as a request for new unauthorized request from internet and drops it according to the rule policy.
It occurs when a session initiated from the NODE2 it arbitrary redirects session reply to the NODE1. For example in the case of ICMP:
ICPM request from Ironport2 -> NODE2 processes and NATs the request -> the destination makes a reply -> NODE2 load balancing mechanism processes the reply and directs it on the NODE1 (why???)-> NODE 1 drops the traffic according to rule base (connection discarded)
The is similar to the HTTP/s (invalid SYN packet) ant the other protocols. I use WIRESHARK to see that requests that are out of NODE2 appears on the external interface of the NODE1 with NODE2 MAC address as a source MAC and NODE1 MAC as destination.
So the question is: why load balancing mechanism arbitrary directs session reply in the NODE1?
Some other considerations:
- When I put NODE1 offline (“go offline” from the GIU) NODE2 processes traffic. But when I put the balancing NODE2 offline NODE 1 can’t process traffic. I have an error on the network level (destination host unreachable). So NODE1 doesn’t takes an initiative. It seems to me that it is a wrong behavior for LOAD BALANCING is at the same time HIGH AVAILABILITY solution and failover to NODE 1 should happen.
- I have no asymmetric routing.
- I can’t open support tickets
illustration.png 88.6 K