Staying Involved
Joining the ConversationHi All,
I would like to share the details on our recent troubleshooting with the CATO Support team, we observed the following behavior:
- On the CATO POP side, the service is responding to all ingress requests. However, it appears that the POP is unable to consistently decide the correct return path for packets.
- Due to this, we are experiencing 30–40% packet drops across both links, along with frequent tunnel flapping.
- On our firewall end, continuous pings to external resources (e.g., Google DNS) and other IPsec tunnels show no packet loss. The issue only occurs when traffic is routed through the CATO IPsec tunnels in Active-Active mode.
- We have applied the Network Rule configuration as recommended by the CATO team, but the issue still persists.
- Interestingly, when configured in Active-Passive mode, the tunnels stabilize with no packet drops observed, and traffic flows without issue.
At this point, it seems to be a limitation or unexpected behavior in how CATO handles path selection in Active-Active deployments.
