Customer has multiple ip adress and vlan in their svm just one of them can reach ad server and dns. Client using other lifs to connect cifs shares but sometimes cifs connections droping.
My quesiton is, the other lifs which can not reach ad and dns is causing this problem or not ? When I check logs it says this ip adress (other lifs) can not reach this dns and adress secd.conn.auth.failure.
the current routing causes all the outgoing traffic from the NAS SVM on node "ntap_cluster_krt-01" to go via interface "svm_krt_nas_ad".and can go via "svm_krt_nas_154"
all the other nodes cannot access the AD and DNS at the moment
i suspect that node "Ntap9000-KRT-01" managed to initiate an AD connectivity when LIF "svm_krt_dmz_lif3" was at home and up. currently it's on a port and node that not allowing it to be up. maybe that's how you started to notice that something is funny and if you would revert it to home it will all start to "work" again. you can use the interface revert command if you like to try and fix it. but i can't take responsibility on this. - do at your own risk.
for the actual config:
in a nutshell - you would need to rebuild everything around the network config (mainly to add stuff. but may gain something from removing some as well).
iv'e started to look on each of your current use cases and routes - but they are just wrong, a workaround on top of a workaround.... with effectively only one currently valid (and another one if you sort #2 above) .
So let me put some end-goals when you re-design it:
all nodes hosting LIFS that use to access CIFS or other protocols that need NTP/DNS would need to have connectivity to AD - e.g add more dedicated LIFS for AD. or just start using the NAS LIFS for it - to keep it scalable..
the AD sites and subnet needs to be amended to include the filer subnet. or a preferred DC need to be set via "vserver cifs domain preferred-dc" command.
the routing need rebuild in a way that allow communication back without a dependency on fast-path. the way i see it you would likely going to end up with:
A static route or multiple ones for the 192.168.0.0/16.range
if adding new AD LIFS. so add static routes for the DNS and AD on 10.200.120.0/24 + 10.210.154.0/24 (with setting these as pref DC)
A default route for the NAS LIFs to 10.210.224.1
i don't have real visibility of the network, and some engagement with the network admins in the organization will be required. - you would need to fully understand the client connectivity with them. and make sure you route everything optimally.
All LIFs failover group need to be set correctly via a group or broadcast domains. so you don't end up with LIF migrated to a port it can't live in.
all nodes hosting LIFS that use to access CIFS or other protocols that need NTP/DNS would need to have connectivity to AD - e.g add more dedicated LIFS for AD. or just start using the NAS LIFS for it - to keep it scalable.."
if client lif can not connect ad or dns, is it trying just home node other lifs to connect ad or dns?