This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Champion Champion
Champion
‎2018-08-07 06:14 AM

Although not directly related to gateway performance, I've run into issues with this so many times that it did merit a mention in the second edition of my book:

The Magic MAC/Global Cluster ID


There is one situation you might see in a misconfigured cluster that is worth mentioning here however, as it can be so perplexing. When running the cphaprob stat command on all cluster members, both cluster members report they are the only cluster member present (i.e. the cluster members cannot “see” each other at all) and both of them also report they are “active”! How the heck can such a “split-brain” situation occur when setting up a new ClusterXL cluster?


This problem is related to the so-called “Magic MAC address” (yes that was its original name!), but it is now referred to as the “Cluster Global ID”. On an R77.30 firewall, this value is set during the Gaia web interface First Time Configuration Wizard dialog in the Cluster Global ID field:

The command cphaconf cluster_id set (Cluster ID Value) can also be used to set this value. For an R77.30 firewall, the Cluster Global ID should be manually set to an identical value on all members of the same cluster, but be a unique value for different clusters. Failure to configure a matching Global Cluster ID value on the two R77.30 cluster members will cause the split-brain situation mentioned above. On R77.30 and earlier firewalls the Global Cluster ID value can be checked on each of the cluster members with the cphaconf cluster_id get command.

There is good news about this situation though for R80.10+ gateway: a matching Global Cluster ID is now automatically calculated for all cluster members through a process called “Automatic MAC Magic”. This new feature is also designed to prevent conflicts with other existing firewall clusters on the same network. The status of this new feature (including the automatically calculated Global Cluster ID value) can be verified on an R80.10+ gateway with the cphaprob mmagic command. It can also be checked from a new ClusterXL-based screen of the cpview tool on an R80.10 gateway under “Advanced...ClusterXL”. This new “Automatic MAC Magic” feature is also backwards compatible with R77.30 gateways that had their Global Cluster IDs configured manually in earlier versions.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Who rated this post