topic Re: new interface cluster vip not working in Firewall and Security Management

new interface cluster vip not working

cpmatesuser2020 — Tue, 19 Jan 2021 18:01:36 GMT

r80.40

new vlan interface on both fw

working with 2 physical fw + virtual mgmt appliance

each fw is working fine on it's own

fw 1 : 1.1.1.2

fw 2 : 1.1.1.3

vip 1.1.1.1

so if i set a vm with dgw of 1.1.1.2 or 3, it's working as expected per my policy

but if i set 1.1.1.1, not responding

what am i missing here? i can see the vip at the mgmt console

thank you

Re: new interface cluster vip not working

Vladimir — Tue, 19 Jan 2021 18:36:02 GMT

Without diving deeper into troubleshooting and if you are showing actual IPs used in your configuration, consider the possibility that the OS where you are defining 1.1.1.1 as a dgw may be aware of it as a dedicated secure DNS service IP from Clodflare.

If that is the case, there may be issues declaring it a routing hop.

Re: new interface cluster vip not working

cpmatesuser2020 — Tue, 19 Jan 2021 18:44:40 GMT

the 1.1.1.1 is for the example, it's actually another one

maybe it's because i haven't did "get interfaces" at the cluster mgmt?

i only did it on the firewalls

when i do that on the cluster vip mgmt, i get a message warning me about changes in topology

Re: new interface cluster vip not working

Vladimir — Tue, 19 Jan 2021 18:47:41 GMT

Yeah, that would do it.

I would suggest NOT doing "Get Interfaces with topology", if it is a production environment.

Instead, open the network properties of the cluster and manually define new Cluster interface equivalent to 1.1.1.1 with 1.1.1.2 and 1.1.1.3 as members.

Then publish changes and install policy.