ONTAP Discussions

FPolicy can only connect directly to a LIF but not an SVM

Stormont
4,104 Views

We have two LIFs configured that we use for FPolicy taffic between our CDOT 9.6 cluster and various applications (STEALTHbits, Varonis, etc.) and we are unable to connect to the DNS entry that we have for the svm (carebtp-svm.domain.com) and we can only connect directly to the DNS entry for the LIFs (carebtp-01-fpolicy.domain.com).  Is that by design or is there a configuration issue on our end?

 

Does connecting directly to the LIF cause any issues with redundancy when we reboot a node? (the FPolicy LIFs are both configured in the same broadcast domain on the clsuter)

7 REPLIES 7

paul_stejskal
3,992 Views

Do you have a LIF for both nodes for each SVM? What is the LIF used for which is the SVM LIF? Data or just management?

 

Need more details here.

Stormont
3,982 Views

We have two SVMs (carebtp which is the admin SVM and carebtp-svm which is the data SVM).  There are two LIFs used for FPolicy connected to the carebtp-svm (one on Node 01 and one on Node 02) and those two LIFs are configured for data only.

paul_stejskal
3,978 Views

Just guessing here, but the DNS entry probably only points to one of the two data LIFs. I'd try with two DNS entries.

 

Does it work with straight IP addresses? If so, then it's a DNS problem outside of NetApp I bet.

Stormont
3,975 Views

There is one DNS entry that points to the IP of carebtp-01-fpolicy.domain.com and another DNS entry that points to the IP of carebtp-02-fpolicy.domain.com.

 

I guess the real question is since carebtp-01-fpolicy (carebtp-01:e1d) and carebtp-02 (carebtp-02:e1d) are in the same failover group, will an application that is configured to connect to carebtp-01-fpolicy continue to receive FPolicy events if that node (and LIF is rebooted).  I believe the answer is yes, but wanted to confirm.

paul_stejskal
3,970 Views

If there is no data LIF to connect to fpolicy, then no. If the LIF fails over say from node 1 to node 2 in a takeover, then a giveback is done but the LIF is never returned home, fpolicy will not connect for node 1. But it shouldn't matter since if that is the data LIF users access, the access would follow the LIF. If users access a different data LIF and it happens to fail back to node 1, then you won't have fpolicy.

 

Otherwise, if the data LIF is on the same node as the fpolicy LIF (or same LIF), it should work. Just expect a lot of unable to connect errors in the event logs.

Stormont
3,934 Views

I think we will just have to test it and find out.  We have two LIFs dedicated for FPolicy that are only accessed by the Varonis server and the STEALTHbits servers.  There are different LIFs dedicated to user acces which are on different nodes.  If the FPOlicy LIF fails over from node 1 to node 2 in a takeover, it will still respond to the carebtp-01-fpolicy DNS name even if it is now on node 2 and doesn't return home, correct?

paul_stejskal
3,923 Views

Yes correct.

Public