[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: [Zeek] Sniffing on active/active firewalls
From: Łukasz_Biedka <regisu85 () gmail ! com>
Date: 2019-03-28 13:42:47
Message-ID: CAF2dO8+PrjkjuqJXx249XptWGYguPqnDeX8REpyYavFRUV=_fg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
I have a cluster of two active/active nodes of firewall. Each node of this
firewall is in separate datacenter. Every node of this cluster have a Zeek
server that is sniffing traffic from it through TAP. Each Zeek server works
as a separate node - they are not clustered togheter.
Problem is that I see a lot of "gaps" and percent_loss(from 30 to 70%) in
capute_loss.log.
broctl netstats also shows drops.
Someone told me that this may be a problem with this active/active cluster
and the method how it works - both nodes of this firewall receive traffic
but only one of them sends responses back based on his load etc.
As far as I know capture_loss and broctl netstats stats are based on data
that they get from TCP sessions. So if I think correctly if Zeek server
sees only part of the TCP session then he will log loss and dropped packets=
.
Does anybody had similar problem and have some tips how to solve this?
Best regards,
=C5=81ukasz
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hello,</div><div><br></div><div>I have a cluster of two \
active/active nodes of firewall. Each node of this firewall is in separate \
datacenter. Every node of this cluster have a Zeek server that is sniffing traffic \
from it through TAP. Each Zeek server works as a separate node - they are not \
clustered togheter.</div><div><br></div><div>Problem is that I see a lot of \
"gaps" and percent_loss(from 30 to 70%) in \
capute_loss.log.</div><div>broctl netstats also shows drops.<br></div><div>Someone \
told me that this may be a problem with this active/active cluster and the method how \
it works - both nodes of this firewall receive traffic but only one of them sends \
responses back based on his load etc.<br></div><div>As far as I know capture_loss and \
broctl netstats stats are based on data that they get from TCP sessions. So if I \
think correctly if Zeek server sees only part of the TCP session then he will log \
loss and dropped packets.</div><div><br></div><div>Does anybody had similar problem \
and have some tips how to solve this?</div><div><br></div><div>Best \
regards,</div><div>Łukasz<br></div></div>
_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic