Fduranti,

This would clearly need a TCP Dump from your IVE which needs to be analyzed.

My suggestion to to open a JTAC ticket and provide the following:

1) TCP Dump on the failure session a file.

2) TCP Dump / Wireshark capture of a successful session of the same file used on the failure session.

(Internally withou the IVE)

3) Time stamp of both failure session and successful uploads.

If you can attach a failure session TCP Dump from the IVE to this thread (if allowed), I may be able to help you.

Thanks,

Hi Jacob, I'll try to get some information in the afternoon and to do some tcpdump collection. I've just done one tcpdump on the internal interface of the mag and there's no communication with the ip where the share resides(I've done a trace from when I click UPLOAD to the error, It's probably correct because I think the IVE will cache locally the file and then save it to the share).

You think that the problem is between IVE and the file share/web server ?

It seems something related to some kind of stange timeout. It happen only when connecting from Internet and passing through routers (it's not happening if connected directly to the Internet switch where routers and firewall are connected).

I have a demo SA6500 from our provider and just setted up with the same version 7.1R4.0 and the same share and it works correctly (it's configured exactly as the MAG 4600, with ip address on the same VLANs, the only difference is that the MAG4600 are 2 in HA cluster while the 6500 is a single appliance) .

I've opened a case yesterday (you need the case number?)

Thanks

Francesco

One more information. I was able to replicate the problem on the cluster also on internal network uploading a bigger file (470 MB). After some seconds the upload stopped with the same error so it seems that the problem is some kind of timeout involved.

I think there's something strange, today I've done some more tests and it seems that the clustered internal/external IP address is only working on one node (node1), failing over the IP they don't even answer to ping. I've also some virtual ip address on the internet side and they're correctly working also failing over the cluster.

Doing a test and trying to upload a file directly to the "active" and "passive" node bring this results:

active node: Transfer failing

passive node: Transfer successfull

So it seems there's something strange on the HA side.

The 2 nodes are connected to interface on 2 different switch.The 2 different switch are connected between them with a trunk of 2 cable if I remember well (VLAN are allowed on the trunk).

Internal interface are on a VLAN and external on another VLAN.

VLAN end on a checkpoint firewall doing the routing and NAT to internet.

Physical interface are always pingable/reachable and works.

External Virtual Ports are alway pingable (and work).

Virtual IP (internal and external) are only pingable when they are on node 1.

Anyone have a suggestion? I think there's something wrong but I cannot real understand what...

Any chance the Checkpoint is not updating up the Arp/MacAddr for the VIP when switching? So even when Node 2 is the active node, the checkpoint is still sending the traffic to Node 1, who ignores it since he's not the active device?

it seems that the firewall is not getting the MAC address at all... i get an (incomplete) on the arp table for the virtual ip after i switch the active node to node 2 but I don't know what this mean.

I suppose if the table was not updating correctly I should see the old MAC address in the ARP table of the firewall.

Just after I switch the node back I see the correct MAC address.

At the end we discoveder what seems to be the cause of the problem. It's not the Cluster or the active node.

Our MAG cluster is configured with it's cluster IP address and some virtual ports (associated to different certificates).

Users connect to those virtual ports for different services. One is used by normal user that log into the SA to upload files (and they have the described problem with upload). Another Virtual Ports is configured to "require" certificate authentication and we use it for a virtual host making Activesync proxy to our exchange.

It seems that this "requirement" for a certificate is influencing the way the other virtual port works. When we have the virtual port for activesync in those requiring a certificate the file upload fail. If we remove the virtual port so that it will not require a certificate everything works correctly, file can be uploaded and RDP works as

Anyone had problem with virtual port certificate required to log in into the SA interfering with other services?