About JoergSchuetter

Did you add both fqdn's (portal and gateway) to the SAML config (on Microsoft)? ... View more

This might be due to how the DNS server itself provides the information. There are services which have dozen on IPs assigned to it. If one does a name resolution (nslookup on Windows, host on Linux) of mail.office365.com, the result will be different every 10 seconds or so. This permits the provider to distribute to load among the different servers. If the destination will be called using web protocols, using an URL instead of fqdn might solve the issue. If the application is something different, then you have to fetch all possible IPs and add them to the policy (or an object-group).   ... View more

The passive device does not respond to anything (besides on the mgn interface). That's due to moving the IP and MAC to the active node, the passive node has no IP on the "traffic" interfaces. If you have LLDP enabled, please verify that "Enable in HA Passive State" is ticked (Interfaces --> Ethernet --> your Interface --> Advanced --> [x] Enable LLDP -- [x] Enable in HA Passive State) ... View more

The file /etc/protocols on a Linux system has (among others) the following lines: esp 50 IPSEC-ESP # Encap Security Payload [RFC2406] ah 51 IPSEC-AH # Authentication Header [RFC2402] My experience is that ipsec-{esp,ah} matches ip protocols 50 and 51 ... View more