[Zeek] Sniffing on active/active firewalls

Łukasz Biedka regisu85 at gmail.com
Thu Mar 28 06:42:47 PDT 2019


Hello,

I have a cluster of two active/active nodes of firewall. Each node of this
firewall is in separate datacenter. Every node of this cluster have a Zeek
server that is sniffing traffic from it through TAP. Each Zeek server works
as a separate node - they are not clustered togheter.

Problem is that I see a lot of "gaps" and percent_loss(from 30 to 70%) in
capute_loss.log.
broctl netstats also shows drops.
Someone told me that this may be a problem with this active/active cluster
and the method how it works - both nodes of this firewall receive traffic
but only one of them sends responses back based on his load etc.
As far as I know capture_loss and broctl netstats stats are based on data
that they get from TCP sessions. So if I think correctly if Zeek server
sees only part of the TCP session then he will log loss and dropped packets.

Does anybody had similar problem and have some tips how to solve this?

Best regards,
Łukasz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190328/2466f2ac/attachment.html 


More information about the Zeek mailing list