topic Re: Switch configuration for ClusterXL using OSPF in Firewall and Security Management

Switch configuration for ClusterXL using OSPF

Samuel_EKUNDAR1 — Tue, 20 May 2025 18:11:37 GMT

I have this deployment of 9100 gateways in HA using OSPF.

the output of cphaprob is Active Down.

when I checked on the down member for cphaprob -ia list, all the interfaces are down except for sync and mgmt and interface active check is in problem state.

After further troubleshooting, I realised that it's only the active member that has connectivity per time irrespective of which appliance is active.

When I do show route on each member, each of them has thesame dynamic route populated but only the active member is able to reach learned routes

when I do show ospf neighbour on each member, only the active member has neighbors populated.

I worked with TAC and the conclusion is to look at the switches and router

how do I advice the network team, to configure the switch and routers to treat the appliances independently.

so that the connected interfaces of the gateways will be up irrespective

Re: Switch configuration for ClusterXL using OSPF

Chris_Atkinson — Wed, 21 May 2025 04:32:14 GMT

The network should see the cluster as a single logical router (same router-id).

Actually the interface active check typically has little to do with routing/ospf more L2 communication e.g. reachability between the cluster members across the intermediate network fabric/vlan(s).

Re: Switch configuration for ClusterXL using OSPF

Joseph_Audet — Thu, 22 May 2025 01:02:11 GMT

Chris is correct - our cluster only peers to/from the active member. The cluster will synchronize the routing table so that it can re-establish peering and not lose connectivity during a failover. The network team should only need the (1) peer configured.