[c-nsp] traffic stuck firewall assymetry

james list jameslist72 at gmail.com
Thu Mar 30 00:46:24 EDT 2017


Hi Ted
you are correct, firewall nodes form a cluster (active/passive) and c6500A
and B have a port-channel in between in both sites.
There are no vrf in the network.

By the way, I still do not understand if you have experienced something
similar and why this could cause rdp stucking/frozen.

kind regards
James


Il 29 Mar 2017 22:58, "Ted Johansson" <ted.johansson at tele2.com> ha scritto:

I guess both firewall clusters at both sites has links in-between the
nodes, e.g. Firewall A<->Firewall B, as well as C6500A<->C6500B.

If you do have some route leaking between VRFs, that could cause issues as
well if the traffic is flowing asymmetrically.

Best Regards
Ted

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
james list
Sent: den 29 mars 2017 17:31
To: cisco-nsp NSP <cisco-nsp at puck.nether.net>; Juniper List <
juniper-nsp at puck.nether.net>
Subject: [c-nsp] traffic stuck firewall assymetry

Hi experts
I’ve a couple active-passive firewall clusters (both with two member-A and
member-B) in two different localtions connected with two different WAN
links (WAN-A and WAN-B).

One cluster in site A has firewall member-A as active and the router/switch
(C6500 not in VSS) with WAN link A as HSRP active and the opposite has
firewall member-B as active and the router/switch with WAN link A as HSRP
active.

Everything works properly but sometimes the virtual machine (behind the
firewall) got frozen.
Here a draft of the design:

VDI - Firewall-A(Active) –  C6500A (active HSRP) ------– WAN link –------
C6500A (active HSRP)  – Firewall-A (passive) - VDI
                             ||
||
VDI - Firewall-B (passive)– C6500B (secondary HSRP) --– WAN link –------
C6500B (secondary HSRP)  – Firewall-B (Active) - VDI


Can the assymmetry in site B be the cause ?
I suspect yes, but I cannot figure out why ?

Any hint or experience is appreciated.

Cheers
James
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/
mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

******** IMPORTANT NOTICE ********
The content of this e-mail is intended for the addressee(s) only and may
contain information that is confidential and/or otherwise protected from
disclosure. If you are not the intended recipient, please note that any
copying, distribution or any other use or dissemination of the information
contained in this e-mail (and its attachments) is strictly prohibited. If
you have received this e-mail in error, kindly notify the sender
immediately by replying to this e-mail and delete the e-mail and any copies
thereof.

Tele2 AB (publ) and its subsidiaries (“Tele2 Group”) accepts no
responsibility for the consequences of any viruses, corruption or other
interference transmitted by e-mail.


More information about the cisco-nsp mailing list