Sniffing on active/active firewalls


I have a cluster of two active/active nodes of firewall. Each node of this firewall is in separate datacenter. Every node of this cluster have a Zeek server that is sniffing traffic from it through TAP. Each Zeek server works as a separate node - they are not clustered togheter.

Problem is that I see a lot of “gaps” and percent_loss(from 30 to 70%) in capute_loss.log.
broctl netstats also shows drops.

Someone told me that this may be a problem with this active/active cluster and the method how it works - both nodes of this firewall receive traffic but only one of them sends responses back based on his load etc.

As far as I know capture_loss and broctl netstats stats are based on data that they get from TCP sessions. So if I think correctly if Zeek server sees only part of the TCP session then he will log loss and dropped packets.

Does anybody had similar problem and have some tips how to solve this?

Best regards,