Hi Mates,
I inherited an old cluster running R80.40. At some point it developed a problem with HA. Long story, but I needed to rebuild it anyway, so did so. A new build side-by-side on R81.20 but found it too had a problem with HA (the secondary device doesn't pass traffic so you need to failback).
I ran the azure_ha_test.py and found our error message in the sk175023 ATRG: [Forbidden] Error: HTTP/1.1 403 Forbidden" error
We got the permissions update using the gateway managed identities and the test script now runs clean. Yay! Now the actual problem.
The HA template in Azure Marketplace creates 3 public IPs (PIPs), one of which is the "cluster-vip" which gets attached to the active gateway in Azure. As part of the rebuild and migration, I changed this is Azure to our established egress PIP in Azure, which is whitelisted by many external services.
Now when failover occurs, the cluster-vip is changing back to the PIP that was created by the template, and removing the one I selected in Azure and I don't know why.
I found a reference to the old PIP in $FWDIR/conf/azure-ha.json (caps below replace actual IPs)
"name": "cluster-vip"
"addr": "PRIVATE IP"
"pub": "TEMPLATE_PIP"
So I changed this to
"name": "cluster-vip"
"addr": "PRIVATE IP"
"pub": "ESTABLISHED_EGRESS_PIP"
I tested the failover again but the same thing is happening. Does anyone know where the command to use the template cluster-vip is coming from?
Thanks in advance.