topic Re: Vip ip issue in Firewall and Security Management

Vip ip issue

AA_GSOC — Wed, 29 Aug 2018 20:39:29 GMT

Hi all we have cluster deplyment in our environment , but some how one firewall is down and single firewall is working, we have one interface configured with 10.1.1.1 vip, when we confgure a server in same subnet 10.1.1.100 and we are using vip ip as aerver gateway server is unavailable. If we change the gateway with physical ip its started working even we check the maç address on switch virtual and physical ip having same mac address. Can some one look into this and give us solution?

Re: Vip ip issue

PhoneBoy — Wed, 29 Aug 2018 23:21:39 GMT

Where I would start is to see if your client has an ARP entry for your VIP when you try to ping or otherwise route traffic to it.

If you don't see an ARP entry for the VIP, it's possible your switch isn't forwarding multicast traffic.

The VIP by default uses a Multicast MAC and some switches may not forward this unless configured to do so.

See: Configuring Cisco Switch / Router to work with ClusterXL Multicast ARPs

I would also verify (using tcpdump) packets from the client are being received at the gateway.

Re: Vip ip issue

Maarten_Sjouw — Thu, 30 Aug 2018 18:14:11 GMT

There are a number of things you can check to make sure both members are working as they should:

Make sure 'cpconfig' shows that you can disable cluster membership
Best thing is to enable virtual MAC on the cluster page in the Smartconsole, now the MAV for the VIP should be different from the physical MAC
Look with 'cphaprob stat' what the status is according to each member.
change the cluster control protocol to Broadcast to see if then 'cphaprob stat' shows active/standby, so you know multicast is not properly getting through your switch. Preferred would be to make multicast work and set it back to multicast.