I have a 2 node MAG2600 active/passive cluster. I recently noticed that when a failover occurs user can still connect via network connect but cannot access anything within the internal network. After the VIP has been failed back to the primary everything functions as normal.
The cluster is connected to a juniper SRX and I have adjusted the firewall rules for the VIP address and as far as I can tell it is configured correctly. Has anyone expirenced this and have any recommendations on how to resolve it?
Solved! Go to Solution.
>> I have adjusted the firewall rules for the VIP address
The VIP address is used to recieve user requests. It is not used to communicate to backend or to source traffic that is sent to backend. Is the firewall configured to allow comms from NC IP pools of both nodes AND physical internal interface of both nodes? If yes then next steps would be to do a traceroute from client PC where NC is running to an internal resource and a tcpdump from MAG's internal interface to see where the packets are dropped?
Check your routes on the SRX, it sounds like your are pointing your NC pool to the physical interface of the 01 appliance rather than the VIP.
Thank you for the responses. After i double checked my routes on the core router I found a static route that was pointing to a single node in my cluster. Once that was changed to the VIP address the failover began functioning as expected.