topic Re: Maestro dual site failover in Hyperscale Firewall (Maestro)

Maestro dual site failover

EugeneK — Thu, 27 Jul 2023 15:56:50 GMT

Hello

Maestro dual site scenario, Security Group Active/Standby mode, Active security gateways on one site, Standby on other site.

How works failover?

What will happen if interconnect link is down between sites?

What will happen after the link is up?

Regards

Re: Maestro dual site failover

emmap — Wed, 02 Aug 2023 07:28:12 GMT

Failover occurs when the active site has degraded sufficiently to trigger a failover, according to the weighting seen in 'asg stat'. By default, if you lose a bond on the active site, it'll fail over. If you lose an orchestrator, it'll fail over. If you lose one SGM it will not fail over, but if you lose two it will.

Failover functionally works like any Check Point A/S cluster. Connections are maintained and continued on the other site.

If the site sync link goes down the two sites will try to discover each other via the uplinks. They will maintain the current cluster state until sync is restored. Once the link is back up, sync is restored and you're back to normal.

Re: Maestro dual site failover

Marco32 — Tue, 17 Oct 2023 13:05:42 GMT

Hi there,

I have some doubt about VSLS failover over Maestro dual site.

I have configured a security group with VSX and set it as VSLS "set chassis high-availability mode 3", I have some VS active on Chassis 1 and some other active on Chassis 2.

Running "show cluster members interfaces all" from a VS I see the following output:

CCP mode: Automatic
Required interfaces: 1
Required secured interfaces: 0

Interface Name: Status:

Sync (S) UP
bond1.200 (LS) DOWN
bond2.100 (LS) DOWN

Running "cphaprob stat" I see:

Cluster Mode: HA Over LS

ID Unique Address Assigned Load State Name

1 (local) 192.0.2.1 50% ACTIVE admin-ch01-01
2 192.0.2.2 50% ACTIVE admin-ch01-02
15 192.0.2.15 50% ACTIVE admin-ch02-01
16 192.0.2.16 50% ACTIVE admin-ch02-02

Actually I have all link down on both sites for maintenance but I see that VS is Active because is required only 1 interface on cluster.

Is this correct? Why default configuration have only 1 interface required even if I have 6 interfaces presents?

With VSLS configuration if all the slave of a bond interface on chassis 1 (where VS is active) goes down, VS have to failover over chassis 2. Is this correct?

Regards

Re: Maestro dual site failover

Jochen_Hoechner — Tue, 17 Oct 2023 14:52:11 GMT

Hi,

In general, all SGM modules are active. The state in 'cphaprob' is OK. As all interfaces on both sites are down, the chassis grade is equal. Once the interfaces on one site become up, the chassis grade will change and you will see one site down.

The correct tool for monitoring the status in a maestro vsls environment is 'asg monitor'.
If you use 'asg monitor vs all' you see status of all virtual systems across both sites (chassis1, chassis2).

Please check in addition:

- asg_bond (if you use bonded interfaces)
- per VS the 'asg if' command

Re: Maestro dual site failover

Marco32 — Wed, 18 Oct 2023 09:49:44 GMT

Hi Jochen, thanks for your support.

So I have to plug the cable to see different status in cphaprob. For VS that run on Chassis1 will I see ACTIVE for the SGM on site 1 and some different info for SGM on site 2?

Locking with "asg_bond" I see that bonds are in Failed because eth of both site are now DOWN and "asg if" teel me that every interface (ex. bond1.200 and so on) are in down for both chassis

What about the output of "show cluster members interfaces all"? Why I see "Required interfaces: 1" even if I have several interfaces? Shouldn't I have multiple interfaces here?

Re: Maestro dual site failover

emmap — Wed, 25 Oct 2023 08:31:24 GMT

Maestro clustering and regular clustering work differently. We don't do the same interface monitoring in Maestro like we do in regular CXL, hence you are not getting meaningful output from the commands you are running. Please monitor Maestro clustering with asg stat commands (asg stat -v, asg stat vs all, asg stat vs).