[c-nsp] traffic stuck firewall assymetry
james list
jameslist72 at gmail.com
Thu Mar 30 00:46:24 EDT 2017
Hi Ted
you are correct, firewall nodes form a cluster (active/passive) and c6500A
and B have a port-channel in between in both sites.
There are no vrf in the network.
By the way, I still do not understand if you have experienced something
similar and why this could cause rdp stucking/frozen.
kind regards
James
Il 29 Mar 2017 22:58, "Ted Johansson" <ted.johansson at tele2.com> ha scritto:
I guess both firewall clusters at both sites has links in-between the
nodes, e.g. Firewall A<->Firewall B, as well as C6500A<->C6500B.
If you do have some route leaking between VRFs, that could cause issues as
well if the traffic is flowing asymmetrically.
Best Regards
Ted
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
james list
Sent: den 29 mars 2017 17:31
To: cisco-nsp NSP <cisco-nsp at puck.nether.net>; Juniper List <
juniper-nsp at puck.nether.net>
Subject: [c-nsp] traffic stuck firewall assymetry
Hi experts
I’ve a couple active-passive firewall clusters (both with two member-A and
member-B) in two different localtions connected with two different WAN
links (WAN-A and WAN-B).
One cluster in site A has firewall member-A as active and the router/switch
(C6500 not in VSS) with WAN link A as HSRP active and the opposite has
firewall member-B as active and the router/switch with WAN link A as HSRP
active.
Everything works properly but sometimes the virtual machine (behind the
firewall) got frozen.
Here a draft of the design:
VDI - Firewall-A(Active) – C6500A (active HSRP) ------– WAN link –------
C6500A (active HSRP) – Firewall-A (passive) - VDI
||
||
VDI - Firewall-B (passive)– C6500B (secondary HSRP) --– WAN link –------
C6500B (secondary HSRP) – Firewall-B (Active) - VDI
Can the assymmetry in site B be the cause ?
I suspect yes, but I cannot figure out why ?
Any hint or experience is appreciated.
Cheers
James
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/
mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
******** IMPORTANT NOTICE ********
The content of this e-mail is intended for the addressee(s) only and may
contain information that is confidential and/or otherwise protected from
disclosure. If you are not the intended recipient, please note that any
copying, distribution or any other use or dissemination of the information
contained in this e-mail (and its attachments) is strictly prohibited. If
you have received this e-mail in error, kindly notify the sender
immediately by replying to this e-mail and delete the e-mail and any copies
thereof.
Tele2 AB (publ) and its subsidiaries (“Tele2 Group”) accepts no
responsibility for the consequences of any viruses, corruption or other
interference transmitted by e-mail.
More information about the cisco-nsp
mailing list