[Zeek] Sniffing on active/active firewalls
Łukasz Biedka
regisu85 at gmail.com
Thu Mar 28 06:42:47 PDT 2019
Hello,
I have a cluster of two active/active nodes of firewall. Each node of this
firewall is in separate datacenter. Every node of this cluster have a Zeek
server that is sniffing traffic from it through TAP. Each Zeek server works
as a separate node - they are not clustered togheter.
Problem is that I see a lot of "gaps" and percent_loss(from 30 to 70%) in
capute_loss.log.
broctl netstats also shows drops.
Someone told me that this may be a problem with this active/active cluster
and the method how it works - both nodes of this firewall receive traffic
but only one of them sends responses back based on his load etc.
As far as I know capture_loss and broctl netstats stats are based on data
that they get from TCP sessions. So if I think correctly if Zeek server
sees only part of the TCP session then he will log loss and dropped packets.
Does anybody had similar problem and have some tips how to solve this?
Best regards,
Łukasz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190328/2466f2ac/attachment.html
More information about the Zeek
mailing list