We have two LIFs configured that we use for FPolicy taffic between our CDOT 9.6 cluster and various applications (STEALTHbits, Varonis, etc.) and we are unable to connect to the DNS entry that we have for the svm (carebtp-svm.domain.com) and we can only connect directly to the DNS entry for the LIFs (carebtp-01-fpolicy.domain.com). Is that by design or is there a configuration issue on our end?
Does connecting directly to the LIF cause any issues with redundancy when we reboot a node? (the FPolicy LIFs are both configured in the same broadcast domain on the clsuter)
We have two SVMs (carebtp which is the admin SVM and carebtp-svm which is the data SVM). There are two LIFs used for FPolicy connected to the carebtp-svm (one on Node 01 and one on Node 02) and those two LIFs are configured for data only.
There is one DNS entry that points to the IP of carebtp-01-fpolicy.domain.com and another DNS entry that points to the IP of carebtp-02-fpolicy.domain.com.
I guess the real question is since carebtp-01-fpolicy (carebtp-01:e1d) and carebtp-02 (carebtp-02:e1d) are in the same failover group, will an application that is configured to connect to carebtp-01-fpolicy continue to receive FPolicy events if that node (and LIF is rebooted). I believe the answer is yes, but wanted to confirm.
If there is no data LIF to connect to fpolicy, then no. If the LIF fails over say from node 1 to node 2 in a takeover, then a giveback is done but the LIF is never returned home, fpolicy will not connect for node 1. But it shouldn't matter since if that is the data LIF users access, the access would follow the LIF. If users access a different data LIF and it happens to fail back to node 1, then you won't have fpolicy.
Otherwise, if the data LIF is on the same node as the fpolicy LIF (or same LIF), it should work. Just expect a lot of unable to connect errors in the event logs.
I think we will just have to test it and find out. We have two LIFs dedicated for FPolicy that are only accessed by the Varonis server and the STEALTHbits servers. There are different LIFs dedicated to user acces which are on different nodes. If the FPOlicy LIF fails over from node 1 to node 2 in a takeover, it will still respond to the carebtp-01-fpolicy DNS name even if it is now on node 2 and doesn't return home, correct?