View Full Version : VPN traffic disappears when one cluster member is active but passes through the other

2012-10-03, 11:05
Im not sure if this is a VPN problem, a cluster problem or a hardware problem so I have posted this in a few forums:

I have a Firewall cluster running Active/Standby on R70.40. Node A=Active, Node B=Standby.
I also have 8 site to site VPN tunnels from this firewall cluster to various other firewalls administered by other companies [some are Checkpoints, some are Ciscos].

In the past all VPN traffic went through Node A with no problems. I then experienced a problem with node A whereby whenever I tried to push a policy I got an error about lack of memory on Node A. I failed the cluster over to Node B and rebooted Node A. Everything seemed ok from then on as I could once again push policies, but I then had a few reports from users of traffic not going across some of the VPN tunnels.

After investigating it seems that when node A is the Active cluster member, the VPN traffic for VPNs 1, 2 and 3 works fine, but traffic for VPNs 4,5 and 6 seems to disappear. No errors in the Tracker, the packets show as being leaving my firewall encrypted, the remote administrators confirm they can see the packets arriving and the replies leaving their firewalls encrypted, but no replies hit my firewall. Fw monitor and tcpdump shows the first Sync packets leaving my network but nothing coming back. If the remote side tries to initiate traffic it shows as leaving their firewall encrypted but nothing shows in my tracker or packet captures.

If I fail the cluster over so that node B is Active, the problem is reversed. VPN traffic for VPNs 4,5 and 6 works fine, but traffic for VPNs 1,2 and 3 seems to disappear.
All regular [non-VPN traffic] passes through either firewall with no problems. Traffic for VPN's 7 and 8 passes through either firewall with no problems.

I have double-checked the routing tables and they are the same on each firewall. I have run fw ctl zdebug drop | grep x.x.x.x [where x.x.x.x = a server on the other side of one of the VPN tunnels] and also fw ctl zdebug drop | grep y.y.y.y [where y.y.y.y = the public IP address of one of the remote firewalls] and initiated traffic to a remote server, but nothing shows as being dropped. I had these commands running simultaneously on both cluster members but no traffic was shown as being dropped by either firewall.

I have shutdown all VPN tunnels and cleared the security associations using the VPN TU utility. I then re-enabled the VPN tunnels but the problem remains the same.
Any ideas?