topic Re: VRRP is backup state at both of firewalls in Firewall and Security Management

VRRP is backup state at both of firewalls

Myo_Min_Zaw — Wed, 07 Nov 2018 06:05:50 GMT

HI Expert,

Both of firewalls are backup state in VRRP cluster mode.

Already enable for cluster gateways via cpconfig. and reboot both of firewalls also.

Please kindly advice it. Thanks.

Re: VRRP is backup state at both of firewalls

_Val_ — Wed, 07 Nov 2018 08:25:47 GMT

It looks like you have enabled both ClusterXL and VRRP clustering at once.

Re: VRRP is backup state at both of firewalls

Maarten_Sjouw — Wed, 07 Nov 2018 22:10:46 GMT

First of all make sure that the priority on both members are different by no more than 20, but in your case 10. Advise use prio delta of 10 and prio of 195 and 200, with both numbers ending in a 0 it is not always clear which of the 2 should be master.

Check the state on both members with cphaprob stat and see if both members show active/active.

In Dashboard/SmartConsole have you set the clustering method to VRRP? In the global settings also look for the allow VRRP setting to be allowed before first.

For a test type set vrrp monitor-firewall off and see what happens.

Last thing to check is to see for sure that the switches you have connected both FW's to, are set to allow multicast traffic.

Re: VRRP is backup state at both of firewalls

Myo_Min_Zaw — Wed, 07 Nov 2018 23:41:15 GMT

Like that case, how can I off for one of services in either one please?

Re: VRRP is backup state at both of firewalls

Myo_Min_Zaw — Wed, 07 Nov 2018 23:43:31 GMT

Maarten,

Thanks a lot for your points. I will follow that. Yes, I set for VRRP settings in Smart Dashboard. Global settings is allowed already. Now, All members are 2x master.

Thanks

Re: VRRP is backup state at both of firewalls

Maarten_Sjouw — Thu, 08 Nov 2018 09:48:15 GMT

So this will happen when the members do not "see" each other, so go back to the switches and make sure the VLAN's are present on the switches and also in the trunk between switches.

You can start by checking if you can ping the other box in the same network, if allowed by policy.

Check logging if the VRRP is actually not dropped, if so make sure to add an allow rule for the gateways to the VRRP Multicast address.

When you are running in VMware, make sure to disable all security on the Switch ports that connect to the FW's.

Re: VRRP is backup state at both of firewalls

Myo_Min_Zaw — Thu, 08 Nov 2018 14:17:57 GMT

Just share the info that what we resolve for this issue as per below:

1. Enable cluster gateways at both firewalls via cpconfig and reboot both of firewalls.

2. After that both of firewalls are master mode changes.

3. And then, add VRRP rules at the firewalls and push down the policies. After that, it will resolve for the issue as one firewall one is master state and another one is backup state.

Thanks.