Due to the TSM Policy-based Routing, the Slave Firewall Cannot be Pinged Through From the Management Terminal

Publication Date:  2012-07-17 Views:  125 Downloads:  0
Issue Description
The following network diagram shows a standard TSM dual system off-line deployment. The symptom described as follows is discovered during a simulation test.
All traffic is directed to the master firewall FW1 based on policy-based routing on the switch SW1. If the core switch SW1 is down, switch SW2 takes over the work of SW1. Because both firewalls have ports in the down state, the master/slave firewall switchover is not performed. A PC at the access layer sends ping packets to communicate with the slave firewall. In this case, tracert packets are through, but only the first one or two ping packets are through. Every time the session table on the firewall is reset, ping packets are through for a while, but becomes not through soon.
Alarm Information
Handling Process
You do not need to ping the slave firewall. The master and slave firewalls communicate with the server if policy-based routing does not direct server traffic.
Root Cause
Packets are discarded after they go through both firewalls that implement dual-system hot backup. This occurs at the management address of the TSM dual-system off-line deployment, interrupting the communication between the slave firewall and the server.
Cause: After SW1 is down, ping packets reach SW2 first, and then go to FW1 due to policy-based routing. Then they go back to SW2, and finally go to FW2. That is, one packet goes through both the master and slave firewalls. Because the two firewalls perform session table synchronization, this packet will be discard. Every time the session table is cleared, the ping packets are through for a while. After the two firewalls performs session table synchronization, ping packets are discarded again.
When you encounter the problem that traffic goes through both the master and slave firewalls, check the traffic import configuration.
If you fail to directly log in to the slave firewall, log in to the slave firewall from the master firewall. (The slave firewall can definitely be logged in after a master/slave switchover.)