PDA

View Full Version : ICMP Reply does not match a previous request



dgcollins
2009-05-22, 09:01
We currently have NGX r65hfa40 Nokia vrrp cluster setup to use isp redundancy in primary/backup mode

I'm seeing icmp reply's being dropped from the secondary isp router to the secondary cluster (as per subject)

I believe these icmp requests are due to isp redundancy checking if the default gateways are up (testing if a link is available)
I presume the icmp requests are being Nat'ed behing the cluster VIP and hence the reply's are not going back the original source address

Whats strange is I do not get the problem on the primary vrrp firewall cluster member

I have the following cluster options configured

support non sticky.. - unticked
hide clusters' outgoing members traffic... ticked
forward clusters incoming traffic.... ticked

If I untick the "hide clusters' outgoing members..." option from what I have read the problem will go away?

I was wondering what other people do in regards to this issue? and if I go for unticking this option are there any bad consequences in doing so?