Reset Search
 

 

Article

KB45363 - Router sends incoming traffic to a wrong Traffic Manager

« Go Back

Information

 
Last Modified Date8/5/2022 10:07 AM
Synopsis
Problem or Goal
With PulseSecure Virtual Traffic Manager, when regular Traffic IP Groups are used (i.e. not RHI), there is a very rare, but serious failure possible. It manifests itself like so:

- A redundancy event (TIP failover) happened recently;

- According to the vTM (both web UI and CLI), TIP in question is hosted on one vTM, let's call it A;

- According to the subnet router, TIP in question is hosted on the other vTM, let's call it B;

- No user traffic is serviced (complete outage).
Cause
When doing TIP failover, vTM that is taking over it (vTM A in our example), would send a pre-determined number of ARP packets as broadcast, so that every other host on that subnet (including router) would know to send traffic to vTM A from now on.

However, depending on router's configuration (ARP rate-limits, or ARP filters), it can drop those packets, and keep thinking that TIP is still hosted on vTM B, as was genuinely the case before the failover.
Solution
Immediate workaround would be for administrator, to force TIP failover - using "Passive" option of the problematic TIP(s), possibly multiple times, while watching the router's ARP table, until this matches with vTM cluster status.

Long-term solution would be on evaluate router's configuration to make sure no ARP rate-limiting/filtering is done in the vTM's segment.
Related Links
Attachment 1 
Created ByAndy Chernyak

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255