Re: Maestro Failover Test Scenario

PrasannaRout

Our single site environment is setup with 2x MHO-140 Orchestrator with 3x 6200 Scalable gateways running on R81.20 Take 89 in VSX mode.

we wanted to validate different failover test scenario . wanted to some input on specific below questions -

Sync Cable Failover - what should be the expected behavior when we disconnect Sync Cable between MHO's. How & what should we validate .
Downlink DAC Cable Failover – we have 2x 10G DAC each from gateway to both Orchestrator. we see gateway went to lost/detached state when one DAC cable removed. We still have other DAC cable connected to other orchestrator . Something is wrong here. need clarification.
SMO Mgmt. Cable Failover - we have 2 Mgmt. connections going to the same switch and configured as XOR. we see multiple MAC address for Mgmt1/2/Magg. – Few clarifications required.

Below is the mac address we learn from switch side for our SMO Mgmt connection (Eth1-Mgmt1 & Eth2-Mgmt1) .

What is 0000.0000.9201 & 3c41.71df.2d3f ? and why one switch port is showing all mac which is matching firewall side?

Switch

Firewall

switch#sh mac address-table interface te1/0/11

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

964 0000.0000.9201 DYNAMIC Te1/0/11

964 3c41.71df.2d3f DYNAMIC Te1/0/11

Total Mac Addresses for this criterion: 2

switch#sh mac address-table interface te2/0/11

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

964 001c.7fa2.ee04 DYNAMIC Te2/0/11

964 001c.7fa2.f184 DYNAMIC Te2/0/11

964 001c.7fa2.f99c DYNAMIC Te2/0/11

Total Mac Addresses for this criterion: 3

Global] smo-ch01-01:0> show interface eth1-Mgmt1 mac-addr

1_01:mac-addr 00:1c:7f:a2:f1:84

1_02:mac-addr 00:1c:7f:a2:f9:9c

1_03:mac-addr 00:1c:7f:a2:ee:04

[Global] smo-ch01-01:0> show interface eth2-Mgmt1 mac-addr

1_01: mac-addr 00:1c:7f:a2:f1:84

1_02: mac-addr 00:1c:7f:a2:f9:9c

1_03: mac-addr 00:1c:7f:a2:ee:04

[Global] smo-ch01-01:0> show interface magg10 mac-addr

1_01:mac-addr 00:1c:7f:a2:f1:84

1_02:mac-addr 00:1c:7f:a2:f9:9c

1_03:mac-addr 00:1c:7f:a2:ee:04

[Global] smo-ch01-01:0>

emmap

For your failover tests:

1: No impact to the security group is expected, but you won't be able to make any configuration changes on the MHOs.

2: The behaviour you observed is expected, assuming 1 DAC to each MHO. If an SGM loses connection to an MHO but everything else is still up, that SGM will go down. It should be down though rather than lost, assuming you had reconnected the MHO sync cable before testing this.

3: Each SGM has its own MAC on the magg interface, so that part is expected. The other two MACs I don't know off the top of my head, but if you do some packet captures with MACs recorded you might be able to find what they are for/from.

PrasannaRout

No impact to the security group is expected, but you won't be able to make any configuration changes on the MHOs. -

No impact to the security group is expected - This is validated.

you won't be able to make any configuration changes on the MHOs - Tried to make the configuration changes on 1st MHO & 2nd MHO without sync cable , i am able to do it. it even did not give me any warning .

Can you confirm more on this ?

emmap

Apologies, I didn't explain myself very well, I meant specifically changes to security group configuration. Regular clish configuration changes are fine as they are not sync'd to the other MHO, but a change to security group (like adding or removing an uplink interface) would be expected to fail.

PrasannaRout

Thanks. That sounds fair

Regarding the MAC address getting learnt at Cisco Switch for Passive Mgmt. Interface[Eth1-Mgmt1] , Is that MAC belongs to Checkpoint? we don't see that MAC either in individual Interface/Magg at checkpoint ?

964 3c41.71df.2d3f DYNAMIC Te1/0/11

Also noticed, when we do failover of mgmt. connection, we don't see this above MAC in the other CISCO switch interface (which became active to passive).

emmap

The MAC on the SG management interface is owned by the SMO SGM, so it will change when SMO role moves. I don't recall if there's an easy way to see them.