Solved: Re: Adding an interface in ClusterXL High Availabi...

Sam_Ab · ‎2018-01-24

Hi all,

I am adding a new interface in ClusterXL, I read a post says that this could cause a failover. Anyone can advise is that still the case in R8.10 and what are the details steps I have to follow to avoid any outage.

Thanks in advance,

Sam

Gil_Frantsus · ‎2018-01-25

To get more information there is a detailed action plan for adding an interface into cluster topology in sk57100

View solution in original post

J_J · ‎2018-01-25

Hi Sam,

Normally in Gaia web portal for both firewall, all unused interface are down. If each firewall is connected to each core switch for example below.

FW1 <--HA--> FW2

| |

CS1 <--Po--> CS2

I suggest you follow these steps:

1. Connect new cable between FW1 & CS1 as well as FW2 & CS2.

2. Configure both firewall IP address via Gaia, go back to Gaia of FW1 then enable new interface. Then proceed enabling FW2 interface.

3. Proceed to Get Interfaces to discover new topology in smart dashboard. It will not create any disruption or failover as long as the sequence is according to which firewall is the current active base for my experience.

Cheers

Sam_Ab · ‎2018-01-25

Hi Villamor,

Thank you for this details. I am not using a cloud/Iaas service. these cluster is installed on DL360G8 and managed by SmartConsole, would those steps be fine as well to avoid any outage? Actually the post that Gil added below is what let me got confused....

Thanks,

Sam

Vladimir · ‎2018-01-25

Just wanted to add that the cluster members will not treat interfaces as clustered until you specify this in cluster's networking/topology properties, assign virtual IP and install the policy.

If both interfaces are UP and you have verified communication between them in advance, you should be able to add them to the cluster without failover event.

Gil_Frantsus · ‎2018-01-25

To get more information there is a detailed action plan for adding an interface into cluster topology in sk57100

Vladimir · ‎2018-01-25

Gil,

I've looked into sk57100 and would like to ask you why would the cluster layer send CCP via newly added interface until it is declared "clustered" in topology?

From the "Get Interfaces with Topology", newly added interfaces are shown as "Private" (I am not sure if "Not Monitored" is applied as well.

Doesn't it stand to reason that CCP traffic will not be seen on those interfaces until they are declared "Clustered" and vIP assigned to them?

Thank you.

Gil_Frantsus · ‎2018-01-28

Hi Vladimir,

This is not exactly what is said in sk57100. It is said: "Since this new interface is not defined yet in cluster Topology, CCP packets will not be sent/received through that interface."

And as the FW kernel is already aware of the new interface, this is the reason it will be considered 'down' by CPHA.

Regards

Gil

J_J · ‎2018-01-25

Hi Sam,

sk57100 is correct, because firewall and csw connection are layer 2 connection or depends on your setup.

Any interface connected to active firewall was disconnected it will cause failover, however to avoid assuming FW1 is active firewall configure both firewall IP address via Gaia, go back to Gaia of FW1 then enable new interface. Then proceed enabling FW2 interface.", in this sequence of order firewall proceed to Get Interfaces to discover new topology in smart dashboard and install new configuration.

I suggest you request for minimal downtime as per your company policy so you enough time to configure and rollback in case you face any problem.

Sam_Ab · ‎2018-01-29

Hi Villamor,

That does make sense, thank you so much.

I will ask for maintenance window but still one thing confusing me tying to understand what will be the behavior of the standby unit when the new interface is up and not added to cluster yet. Will this standby unit be able to detect that this interface is also up in the Active unit or it will consider itself has one more up interface and will try to be the active ?

If that is possible then will we have split-brain in the cluster?

Thanks,

Sam

Sam_Ab · ‎2018-02-07

Hi Villamor,

I added a new interface into the cluster, followed your procedure and all went well, no fail-over and no need to reboot. Thanks for your advice.

Just got one issue that the customized topology I have for exist interfaces has been been over-written with the configured routes. so I prefer to use "get interface without topology" in smartconsole and add the topology of the new interface manually.

Cheers,

Sam

Vincent_Bacher · ‎2018-01-30

I have already added several interfaces during productive hours and had no downtime or service outages at all.

Always add the interface at the standby member first, then on the active member.

I just do "get topology" at initial configuration as i get used to add all further interfaces manually. In the past, i lost topology and anti spoofing config too often when using get topology

And now when policy is being pushed, i did not face any outages as well (yet? )

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

Sam_Ab · ‎2018-02-01

Thanks Vincent, what do you mean by "I just do "get topology" at initial configuration" ? does that mean you get the topology before adding the interfaces? if so how that will get and push the config of new interface? sorry but I got confused

Cheers,

Sam

Vincent_Bacher · ‎2018-02-01

I meant when setting up a new gateway, where no topology is defined yet in the cluster object.

Later, when adding a new interface to a productive gateway I do that manually.

Best regards

Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

Sam_Ab · ‎2018-02-01

Got it, thanks Vincent

Are you a member of CheckMates?

Adding an interface in ClusterXL High Availability