topic Re: Cluster failover in Firewall and Security Management

Cluster failover

StevePearson — Sun, 19 Jan 2025 00:43:44 GMT

Having a problem with failover between a pair of 5800 gateways, setup in the same way as other customers so I'm at a loss as to why this is happening.

So, each gateway has a single connection WAN port connected to a Cisco switch. There's no fancy config on the switch. The ISP router is also connected to the switch providing the connection to the internet.

When you fail over the gateways, all outbound traffic is fine but anything incoming fails (eg remote access, web portals etc).

I've traced this to what I believe is an arp issue as the ISP router has the MAC address of the primary gateway, and the arp entries have a 4 hour TTL, that the ISP won't change.

In the advanced settings for the cluster there is a tick box to use virtual MAC, which I thought was ticked by default but in this site it's not. I know this site started out as a single gateway and was upgraded to a cluster quite some time ago (before we were involved) so I wondered if it was something that was legacy and not set during the upgrade back then. So I checked a couple of other customers with similar configurations, where I know for sure that the failover works perfectly and instantaneously, but they also have the use virtual MAC box unticked, so this must be the default setting.

So now I'm at a loss as to what the root cause of this issue is. I'm thinking that possibly the ISP router is outdated plus the 4 hour TTL, could well be the issue, and setting the option to use virtual MAC would be the best way forward.

Has anyone else encountered this type of issue?

Re: Cluster failover

Chris_Atkinson — Sun, 19 Jan 2025 01:08:04 GMT

VMAC is not default but worth trying based on what you've described.

If it wasn't for the stale mac-observation i'd also be checking route next-hops & port-fast settings.

Which version/JHF are involved?

Re: Cluster failover

StevePearson — Sun, 19 Jan 2025 11:07:19 GMT

Hi Chris,

This is currently running R81.20 take 84, but the issue has been around for a while, even going back to R81.10 with take around 130, but probably earlier.

When you say about next hop and port fast, are you referring to the switch?

Thanks,Steve

Re: Cluster failover

Chris_Atkinson — Sun, 19 Jan 2025 12:20:55 GMT

Yes portfast enabled on the switchports connecting the firewalls.

Double check that the router is pointing route next-hops to the cluster VIP rather than the physical interface IP.

But again the stale mac is a valid reason to investigate VMAC.

(Likely the ISP router is ignoring G-ARP messages as a potential security risk)

Re: Cluster failover

Lesley — Sun, 19 Jan 2025 12:35:14 GMT

VMAC is a good option here as posted before. Easy to enable / disable no config required