The transition to NetApp MS Azure AD B2C is complete. If you missed the pre-registration, you will be invited to register at next log in.
Please note that access to your NetApp data may take up to 1 hour.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

ONTAP Discussions

FPolicy can only connect directly to a LIF but not an SVM

Stormont

We have two LIFs configured that we use for FPolicy taffic between our CDOT 9.6 cluster and various applications (STEALTHbits, Varonis, etc.) and we are unable to connect to the DNS entry that we have for the svm (carebtp-svm.domain.com) and we can only connect directly to the DNS entry for the LIFs (carebtp-01-fpolicy.domain.com).  Is that by design or is there a configuration issue on our end?

 

Does connecting directly to the LIF cause any issues with redundancy when we reboot a node? (the FPolicy LIFs are both configured in the same broadcast domain on the clsuter)

7 REPLIES 7

paul_stejskal

Do you have a LIF for both nodes for each SVM? What is the LIF used for which is the SVM LIF? Data or just management?

 

Need more details here.

Stormont

We have two SVMs (carebtp which is the admin SVM and carebtp-svm which is the data SVM).  There are two LIFs used for FPolicy connected to the carebtp-svm (one on Node 01 and one on Node 02) and those two LIFs are configured for data only.

paul_stejskal

Just guessing here, but the DNS entry probably only points to one of the two data LIFs. I'd try with two DNS entries.

 

Does it work with straight IP addresses? If so, then it's a DNS problem outside of NetApp I bet.

Stormont

There is one DNS entry that points to the IP of carebtp-01-fpolicy.domain.com and another DNS entry that points to the IP of carebtp-02-fpolicy.domain.com.

 

I guess the real question is since carebtp-01-fpolicy (carebtp-01:e1d) and carebtp-02 (carebtp-02:e1d) are in the same failover group, will an application that is configured to connect to carebtp-01-fpolicy continue to receive FPolicy events if that node (and LIF is rebooted).  I believe the answer is yes, but wanted to confirm.

paul_stejskal

If there is no data LIF to connect to fpolicy, then no. If the LIF fails over say from node 1 to node 2 in a takeover, then a giveback is done but the LIF is never returned home, fpolicy will not connect for node 1. But it shouldn't matter since if that is the data LIF users access, the access would follow the LIF. If users access a different data LIF and it happens to fail back to node 1, then you won't have fpolicy.

 

Otherwise, if the data LIF is on the same node as the fpolicy LIF (or same LIF), it should work. Just expect a lot of unable to connect errors in the event logs.

Stormont

I think we will just have to test it and find out.  We have two LIFs dedicated for FPolicy that are only accessed by the Varonis server and the STEALTHbits servers.  There are different LIFs dedicated to user acces which are on different nodes.  If the FPOlicy LIF fails over from node 1 to node 2 in a takeover, it will still respond to the carebtp-01-fpolicy DNS name even if it is now on node 2 and doesn't return home, correct?

paul_stejskal

Yes correct.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public