Spoofing alerts coming from InterCluster LIFs
Applies to
- ONTAP 9
- Firewall alerts
Issue
- Following errors reported from unknown IP addresses:
[Node_A1: kernel: csm.connectionFailed:debug]: CSM failed to create a connection: localBladeUUID = xxxxx:dblade, remoteBladeUUID = xxxxxx:dblade, uniquifier = 0e05e9bf38812f41, transportType = CT,localVifId = 1026, remoteVifIP = xx.xx.xx.xx, CsmError = CSM_CONNTIMEOUT, ctLoError = CTLOPCP_ERR_UNKNOWN, socketError = 60, and TLSerror = 0.
cluster peer ping
show unreachable addresses:
Example :
::> cluster peer ping -originating-node xxxx -destination-cluster xxxx
Node: xxxxx Destination Cluster: xxx
Destination Node IP Address Count TTL RTT(ms) Status
---------------- ---------------- ----- ---- ------- -------------------------
Node_B1 <Known IP> 1 64 33.774 interface_reachable
Node_B1 <Unknown IP> 1 - - unreachable
Node_B2 <Known IP> 1 64 33.807 interface_reachable
Node_B2 <Unknown IP> 1 - - unreachable
cluster peer show -instance
displaying unused/unknown IP address:
Example:
::> cluster peer show -cluster Node_B
Peer Cluster Name: Node_B
Remote Intercluster Addresses: 10.61.66.52, 10.61.66.53
Availability of the Remote Cluster: Available
Remote Cluster Name: Cluster_B
Active IP Addresses: 10.61.66.53, 10.61.66.52, 1.1.1.1, 1.2.2.2
Cluster Serial Number: 1-80-000012
Remote Cluster Nodes: Node_B1, Node_B2
- External firewall can detect those as "Spoof logs"