CIFS shares not accessible when client is in same subnet as one of the data lif in vserver
Applies to
- ONTAP 9
- CIFS
- Asymmetric routing
Issue
- As Ontap already have data lif with same subnet as client is, it is using the same subnet lif to respond back to client even though request landed on different lif on Ontap.
- Because the firewall is dropping the response packet as it has different mac than the request packet, client is not getting response and CIFS share are inaccesible.
For example:
- Consider that there are two lifs on vserver as below:
cdot_vsim_9_8::> net int show -vserver vs1
(network interface show)
Logical Status Network Current Current Is
Vserver Interface Admin/Oper Address/Mask Node Port Home
----------- ---------- ---------- ------------------ ------------- ------- ----
vs1
lif1 up/up 10.80.70.150/24 node1
e0c true
lif2 up/up 10.80.96.11/24 node1
e0c true
- Client_A IP is "
10.80.70.92/24" is in same subnet as "lif1" is as shown above. - Now, if client_A send request on "lif2", Ontap will response back using "lif1".
- This is called asymmetric routing and behaviour is explained in article.
- Because the response is dropped in the firewall, client will not see response and CIFS shares will be inaccessible.
NOTE: To check which lif Ontap is using to respond, please capture packet traces.