Hi the community,
We are stuck trying to solve connectiivity issues with a WAN cluster architecture.
We have 2 SA2500, one in the US the other in Europe.
We want to build a cluster with synchronization via the internal WAN
There is a firewall in between with all ports opened for synchronization.
The result of the Cluster Troubleshooter tool shows :
- Ok for packet size from 64 to 2048
- "Error Reeading response from server at UDP port 4803, for packet size 64152"
- "Error Reeading response from server at UDP port 4804, for packet size 64152"
My questions are :
- What could block those packets ?
- What is the purpose for these large packets ? Are they specific to one type of synchronization that could be deactivated ?
Any help will be apreciated.
What is the purpose for these large packets ? Are they specific to one type of synchronization that could be deactivated ?
Answer: No this is can't be done.
What could block those packets ?
Answer: Its hard to say. One of the causes I have seen is firewall/one of the intermediate devices not handling fragmented UDP packets. I would start with taking a tcpdump on both SA's and sniffers on a couple of intermdiate devices like the firewall, etc and then looking at what happened to the large UDP packets.
Thank you ruc.
As you say, with tcpdump on the firewall we clearly see that the fierwall is waiting for the end of the submission from the sender IVE that stops after 20 packets, certainly waiting for an answer from the distant IVE ?
So we are in a deadlock situation :
- The firewall waits for the end of the message to process and transmit;
- The IVE waits for something before sending the rest of the message
It seems that neither on the FW nor the IVE we can change this behaviour.
Ma questions are now :
- Is this will definitly make it impossible to build the cluster ?
- If the cluster can be setup, will it still as this behaviour is only link to the test tool ?
- You can setup the cluster and as long as synchronization will not need to send big packets it will work fine ?
From the three choices above I feel # 3 is the most likely outcome, however its not guaranteed as what if during setup the nodes need to exchange a huge blob of data as during setup the main node will send its config to other nodes and the chances of sending huge packets are highest at setup time.
I'm still not convinced about the issue as sending these UDP packets should work as long as the network between the two SA untis can handle fragmented traffic. I would strongly recommend that you get to the bottom of this problem if you plan on using this WAN cluster deployment.