[bod43]

IPSO Cluster R65

I am still struggling with this.

If I have:-
- Hide nat for network set to "Hide behind gateway"

- Cluster Object 3rd party configuration
Hide Cluster member's outgoing traffic behind the Cluster's IP address.

I still get the source address of the traffic as one of the physical addresses depending on the gateway in use.

If I force the use of the Cluster address with
Hide nat for network set to "Hide behind IP address" and specify the
Cluster address then I get the NAT I want.

However - I also get web browsing performance issues that I think is related to log messages with:-

Information: TCP packet out of state: Unexpected post SYN packet - RST or SYN expected tcp_flags: ACK

I get a normal "Accept" from one node and the above fail from the other node at the exact same time.

I have found:-
Solution ID: sk34203 Previous Next
Out of State drops on Nokia IPSO Clustering (not VRRP)

The IPSO OS has a parameter that can be set to ensure that the Security Gateway performs the Flush and Ack, so that the SYN can be "sync'd" prior to the asymmetric SYN-ACK returning to the Security Gateway.

To enable "on the fly":
ipsctl -w net:ip:cluster:force_flush 1

I have also disabled Dynamic work assignment in favour of static.

This has made no difference to the "Unexpected post SYN packet "
messages or the performance.

Performance is fine and there are no messages if the NAT is left as
- Hide nat for network set to "Hide behind gateway"

But as described I cannot see that failover can occur with the
observed NAT behaviour.

VRRP here we go I think.

Thanks.