Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Roadrunner88
Participant

Facing trouble with HA Cluster 1570R Firewalls

Hello Guys,

 

we have some trouble with our 1570R Gateways connected as ClusterXL HA and sync Port.

 

We have the following setup:

Unbenannt.PNG

 

Because of technical issues, we have not been able to connect the snyc port directly.

So the Sync goes over the Access Level on Cisco Switches, with a special VLAN, dedicated to the sync IPs.

The VLAN is routed on the Core.

 

Our Problem is, that when one firewall crashes(power outtage or restart) the HA seems to work, but the Produciton Line dont comes up. Until one of the member gets restarted manually. 

 

So the problem seems to be, that the Hirschmann devices dont use the new route over the new active member when the other one is not reachable anymore. When the restart is done the firewalls go back to the old member state, but the Hirschmanns are keeping the old route. 

 

SO we lose the connection to the production line, until we manually redo the state change and the old route is working again.

 

My question now:

 

whats wrong? how can we solve this issue?

 

Is it because we are using the sync port over the cisco level?

The Sync ports have a dedicated connecton to the cisco switches, and dedicated vlan/subnet

 

Can someone provide helpful input? Would be nice. 

0 Kudos
2 Replies
Chris_Atkinson
Employee
Employee

Possibly worth testing Virtual MAC mode for the Cluster:

vmac.png

Otherwise more information is required...

Which version/build are the Gateways - R80.20.35 (992002577) ?

Anything interesting in the logs from the gateways?

Do the switches have g-arp disabled?

What are the routes / default gateways pointed at for their next-hop?

Do you have the switches ARP/Mac table outputs from a failure scenario that you can analyze?

 

0 Kudos
Roadrunner88
Participant

Thats not so easy. At the moment i can only provide the current mac tables of the involved cisco switches and arp of the firewalls:

ARP FIR01(STANDBY)

cphaprob state

Cluster Mode: High Availability (Active Up) with IGMP Membership

ID Unique Address Assigned Load State Name

1 (local) 10.xxx.4 0% STANDBY 001FIR01
2 10.xxx.5 100% ACTIVE 010FIR01

001FIR01> arp
? (10.xxxxx.3) at 00:1c:7f:9b:54:0f [ether] on LAN1
? (172xxxx.3) at 00:1c:7f:9b:54:0f [ether] on LAN2
? (10.xxxx.1) at 00:00:0c:07:ac:80 [ether] on WAN
? (10.xxxx.5) at 00:1c:7f:9b:54:0f [ether] on LAN8     SYNC

FIR02(ACTIVE):


ID Unique Address Assigned Load State Name

1 10.xxx.4 0% STANDBY ICC001FIR01
2 (local) 10.xxx.5 100% ACTIVE 010FIR01

arp

? (10.xxxx.1) at 00:00:0c:07:ac:80 [ether] on WAN
? (10.xxx60) at 00:1c:7f:9b:53:ff [ether] on WAN
? (10.xxx.2) at 00:06:f6:11:e7:41 [ether] on WAN

NO SYNC in ARP Table

(I left the other subnets out, they are not necessary)

 

 

On the Access Level The MAc Table:

CORE:

130 0000.0000.f000 DYNAMIC Po2
130 0000.0000.f001 DYNAMIC Po2
130 0006.f612.0d0d DYNAMIC Po2

Switch01:

130 0000.0000.f000 DYNAMIC Gi1/0/10
130 0000.0000.f001 DYNAMIC Gi1/1/2
130 0006.f611.5884 DYNAMIC Gi1/1/2

 

Switch02

130 0000.0000.f000 DYNAMIC Gi1/1/2
130 0000.0000.f001 DYNAMIC Gi1/0/5
130 0006.f611.5881 DYNAMIC Gi1/1/2

 

All Interfaces on Ciscos Devices have a standard config liek that:

 

interface GigabitEthernet1/0/5
description Sync
switchport access vlan 130
switchport mode access
switchport nonegotiate
no logging event link-status
load-interval 30
no snmp trap link-status
no mdix auto
no cdp enable

 

0 Kudos