This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Myo_Min_Zaw
Contributor
‎2018-11-06 10:05 PM

VRRP is backup state at both of firewalls

HI Expert,

Both of firewalls are backup state in VRRP cluster mode.

Already enable for cluster gateways via cpconfig. and reboot both of firewalls also.

Please kindly advice it. Thanks.

6 Replies
_Val_
Admin
Admin
‎2018-11-07 12:25 AM

It looks like you have enabled both ClusterXL and VRRP clustering at once. 

Myo_Min_Zaw
Contributor
‎2018-11-07 03:41 PM
In response to _Val_

Like that case, how can I off for one of services in either one please?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-11-07 02:10 PM

First of all make sure that the priority on both members are different by no more than 20, but in your case 10. Advise use prio delta of 10 and prio of 195 and 200, with both numbers ending in a 0 it is not always clear which of the 2 should be master.

Check the state on both members with cphaprob stat  and see if both members show active/active.

In Dashboard/SmartConsole have you set the clustering method to VRRP? In the global settings also look for the allow VRRP setting to be allowed before first.

For a test type set vrrp monitor-firewall off  and see what happens.

Last thing to check is to see for sure that the switches you have connected both FW's to, are set to allow multicast traffic.

Regards, Maarten
0 Kudos
Myo_Min_Zaw
Contributor
‎2018-11-07 03:43 PM
In response to Maarten_Sjouw

Maarten,

Thanks a lot for your points. I will follow that. Yes, I set for VRRP settings in Smart Dashboard. Global settings is allowed already. Now, All members are 2x master.

Thanks

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-11-08 01:48 AM
In response to Myo_Min_Zaw

So this will happen when the members do not "see" each other, so go back to the switches and make sure the VLAN's are present on the switches and also in the trunk between switches.

You can start by checking if you can ping the other box in the same network, if allowed by policy.

Check logging if the VRRP is actually not dropped, if so make sure to add an allow rule for the gateways to the VRRP Multicast address.

When you are running in VMware, make sure to disable all security on the Switch ports that connect to the FW's.

Regards, Maarten
Myo_Min_Zaw
Contributor
‎2018-11-08 06:17 AM
In response to Maarten_Sjouw

Just share the info that what we resolve for this issue as per below:

1. Enable cluster gateways at both firewalls via cpconfig and reboot both of firewalls.

2. After that both of firewalls are master mode changes.

3. And then, add VRRP rules at the firewalls and push down the policies. After that, it will resolve for the issue as one firewall one is master state and another one is backup state.

Thanks.