Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sam_Ab
Participant

Adding an interface in ClusterXL High Availability

Jump to solution

Hi all,

I am adding a new interface in ClusterXL, I read a post says that this could cause a failover. Anyone can advise is that still the case in R8.10 and what are the details steps I have to follow to avoid any outage.

Thanks in advance,

Sam

1 Solution

Accepted Solutions
Gil_Frantsus
Employee
Employee

To get more information there is a detailed action plan for adding an interface into cluster topology in sk57100

View solution in original post

13 Replies
J_J
Participant

Hi Sam,

Normally in Gaia web portal for both firewall, all unused interface are down. If each firewall is connected to each core switch for example below.

FW1 <--HA--> FW2 

   |                      |

CS1 <--Po--> CS2

I suggest you follow these steps:

1. Connect new cable between FW1 & CS1 as well as FW2 & CS2.

2. Configure both firewall IP address via Gaia, go back to Gaia of FW1 then enable new interface. Then proceed enabling FW2 interface.

3. Proceed to Get Interfaces to discover new topology in smart dashboard. It will not create any disruption or failover as long as the sequence is according to which firewall is the current active base for my experience.

Cheers

0 Kudos
Sam_Ab
Participant

Hi Villamor,

Thank you for this details. I am not using a cloud/Iaas service. these cluster is installed on DL360G8 and managed by SmartConsole,  would those steps be fine as well to avoid any outage? Actually the post that Gil added below is what let me got confused....

Thanks,

Sam

0 Kudos
Vladimir
Champion
Champion

Just wanted to add that the cluster members will not treat interfaces as clustered until you specify this in cluster's networking/topology properties, assign virtual IP and install the policy.

If both interfaces are UP and you have verified communication between them in advance, you should be able to add them to the cluster without failover event.

0 Kudos
Gil_Frantsus
Employee
Employee

To get more information there is a detailed action plan for adding an interface into cluster topology in sk57100

View solution in original post

Vladimir
Champion
Champion

Gil,

I've looked into sk57100 and would like to ask you why would the cluster layer send CCP via newly added interface until it is declared "clustered" in topology?

From the "Get Interfaces with Topology", newly added interfaces are shown as "Private" (I am not sure if "Not Monitored" is applied as well.

Doesn't it stand to reason that CCP traffic will not be seen on those interfaces until they are declared "Clustered" and vIP assigned to them?

Thank you.

0 Kudos
Gil_Frantsus
Employee
Employee

Hi Vladimir,

This is not exactly what is said in sk57100. It is said: "Since this new interface is not defined yet in cluster Topology, CCP packets will not be sent/received through that interface."

And as the FW kernel is already aware of the new interface, this is the reason it will be considered 'down' by CPHA.

Regards

Gil

0 Kudos
J_J
Participant

Hi Sam,

sk57100 is correct, because firewall and csw connection are layer 2 connection or depends on your setup.

Any interface connected to active firewall was disconnected it will cause failover, however to avoid assuming FW1 is active firewall configure both firewall IP address via Gaia, go back to Gaia of FW1 then enable new interface. Then proceed enabling FW2 interface.", in this sequence of order firewall proceed to Get Interfaces to discover new topology in smart dashboard and install new configuration.

I suggest you request for minimal downtime as per your company policy so you enough time to configure and rollback in case you face any problem.

0 Kudos
Sam_Ab
Participant

Hi Villamor,

That does make sense, thank you so much.

I will ask for maintenance window but still one thing confusing me tying to understand what will be the behavior of the standby unit  when the new interface is up and not added to cluster yet. Will this standby unit be able to detect that this interface is also up in the Active unit or it will consider itself has one more up interface and will try to be the active ?

  If that is possible then will we have split-brain in the cluster?

Thanks,

Sam

0 Kudos
Sam_Ab
Participant

Hi Villamor,

I added a new interface into the cluster, followed your procedure and all went well, no fail-over and no need to reboot. Thanks for your advice.

Just got one issue that the customized topology I have for exist interfaces  has been been over-written with the configured routes. so I prefer to use "get interface without topology" in smartconsole and add the topology of the new interface manually.

Cheers,

Sam 

Vincent_Bacher
Advisor

I have already added several interfaces during productive hours and had no downtime or service outages at all.

Always add the interface at the standby member first, then on the active member.

I just do "get topology" at initial configuration as i get used to add all further interfaces manually. In the past, i lost topology and anti spoofing config too often when using get topology

And now when policy is being pushed, i did not face any outages as well (yet? )

and now to something completely different
Sam_Ab
Participant

Thanks Vincent, what do you mean by "I just do "get topology" at initial configuration" ? does that mean you get the topology before adding the interfaces? if so how that will get and push the config of new interface? sorry but I got confused 

Cheers,

Sam 

0 Kudos
Vincent_Bacher
Advisor

I meant when setting up a new gateway, where no topology is defined yet in the cluster object.

Later, when adding a new interface to a productive gateway I do that manually.

Best regards

Vincent

and now to something completely different
Sam_Ab
Participant

Got it, thanks Vincent

0 Kudos