Thread: Timeouts on Nokia cluster failover
View Single Post
  #7 (permalink)  
Old 2009-11-24
ddurocher ddurocher is offline
Junior Member
  
Join Date: 2009-07-02
Location: Toronto, Canada
Posts: 4
Rep Power: 0
ddurocher has an average reputation (10+)
Default Re: Timeouts on Nokia cluster failover
Well it has been a while but I did finally get this problem sorted out. Had to go to the UK (where the equipment is installed) to fix it. So I wanted to take a moment to post some notes on what I learned in case this will help someone else down the road.

Note that for my purposes I chose to reconfigure the cluster to use VRRP instead of IP clustering as I don't need the load balancing.

1. I had some issues with routing that I wasn't expecting. Ultimately it was the nodes external to the network were forwarding packets to the VLAN IP address of my external switches instead of the Virtual IP of my firewall.

2. Under the VMAC Mode configuration I used a combination of either Interface or Extended. My internal network switches are Alcaltel 6100 series switches and Interface mode allowed them to handle the failover properly. Externally we are using Alcaltel 6600 series switches and again I used Interface mode except on one VLAN with two directly connected devices which worked only with Extended mode. This was just some trial and error tweaking once I got the other issues resolved.

I initially deviated from the default VRRP option because I noticed that all of my VIPs had been assigned the same virtual MAC address. I thought that might be causing some issues based on the network architecture. I never did test to see if VRRP mode would work once I had the routing issues sorted out so take this with a grain of salt.

3. Also, something I hadn't realized initially was that I needed to have a firewall rule allowing vrrp and igmp between the firewall nodes and the multicast network.

4. The clocks being out of sync caused some issues briefly as well. This wasn't a major issue but keep this one in mind and save some hair!

At the end of the day this ended up being a exercise in understanding not only the Nokia and Check Point Products but how they need to be massaged into the network design as a whole, and how the different devices we are using affect each other.

So after much teeth gnashing I have a VRRP enabled cluster that fails over and back beautifully. Thanks to everyone's posts I read on here for all the little issues I had to sort out.

Darren
Reply With Quote