Forum Discussion

Santhosh0991's avatar
Santhosh0991
Icon for Nimbostratus rankNimbostratus
Jun 14, 2021

After failover from A to B,the traffic is not flowing to B

Even after the failover from A to B is fine, the traffic doesn't flow through B, I have checked for both traffic groups where masquerade is enabled and other is not, same behaviour

5 Replies

  • Hi,

     

    It could be caused by a number of different things, here are a couple of tips that can hopefully help you isolate the problem;

     

    • In the B box, do you have any entries in the TMOS arp table? (i.e. can the box see its neighbours? - "tmsh show net arp")
    • Can you reach box A over different interfaces? (e.g. internal / external / ha) this again to confirm that box B does have network access.
    • Can you reach the gateway from box B and can the gateway reach you?
    • Have the same routes been configured in box A as in box B? (in CLI; "route -n" and "tmsh show net route")
    • Have any of the self IP's been accidentally configured on "traffic-group-local-only", rather than the floating traffic group?
    • Are any of the virtual servers using the IP address of any non-floating IP's?
    • If traffic is coming in, but not going back out, check the routing on your backend servers and/or SNAT configuration.

     

    These are just some ideas from the top of my head. Hope there is something useful in here.. ;)

  • Hello Alex BCT, thanks for your suggestions, but all the scenarios are there configured , but still we faced the issue

    • AlexBCT's avatar
      AlexBCT
      Icon for Cumulonimbus rankCumulonimbus

      Hmm, interesting! Though I very much doubt you'd agree with me... ;)

       

      What platform are you running on? Is it hardware or VM's? If you are running VM's on VMware, you can check the security settings; https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.networking.doc/GUID-891147DD-3E2E-45A1-9B50-7717C3443DD7.html -

      Doing a failover especially with MAC masquerading enabled can cause trouble because VMware stops sending traffic to the vSwitch port as it thinks that someone is either hijacking the MAC address or jumping between MAC addresses. - Temporary disabling these security features can help you troubleshoot this.

       

      If hardware devices, have a look at the physical interface configuration and the switch configuration to make sure those are fine.

       

      If no luck, if you do a tcpdump on the B device, do you see traffic coming in at all? Any ARP requests? And when you ping the B device from the gateway, does the gateway get the MAC address from the B device / traffic group?

       

  • its a vcmp guest running on a vipriion 2200/2400 platform- we have masquerdaes MAC and non Masqurade MACs as well, both caused issues

    FYI, physical interaces was OK,

    also i noticed, STATS were present on the VIPS at B side, but apps werent accessbile, so i suspect something was going to A side as well?

    • AlexBCT's avatar
      AlexBCT
      Icon for Cumulonimbus rankCumulonimbus

      Ah, good to know ;) Sounds like it is a bit more complex environment than initially thought. I'd recommend raising a support ticket and go through a structured troubleshooting process to get to the bottom of it.