ClusterXL not started.

[djmachin]

I'm trying to setup a Solaris R60 cluster on a pair of Sun Fire V210's but it doesn't seem to be working properly. I am using Solaris as the router and have set up a file on each node called S79test-routes in /etc/rc3.d that contains a single route:

route add net 0.0.0.0 xx.xx.xx.xx

I can internet IP's from each node but get nothing from the single machine on the internal interface.

I can however get internet connectivity if I shut one of the nodes down.

If I look in SmartView Monitor and create a new view with the ClusterXL fields, it says that "ClusterXL" is not started on either node.

I initially installed both nodes using the Cluster option and have sucsessfully set up the SIC between the nodes and the management server.

Any help would be much appreciated.

Thanks

[Izzio]

I suggest you with cpconfig by each node to activate "ClusterXL" for the state table sync.
Sync. should happen on a separated (secure) interface, at the best connect with a crossover on a reserved real (no VLAN!) interface the two nodes and define a sync. network on this connection.

You will find any detail by the ClusterXL documentation.

Hope it helps!

Maurizio

[mmoret]

I have the same setup :-)

try looking at the following commands:
cphaprob state
cphaprob -a if

You can stop/start clusterxl from SmartView monitor or with cphastart/cphastop

Also on Solaris if you want to create a default route, do this in the file /etc/defaultrouter, containing one single line with the gateway address.

Regards
Martijn

[djmachin]

As far as I can tell, Clustering is installed ok. I've ran cphaprob -a if before on each node and it shows the 2 (1 internal, 1 external (Gigaswift)) non secured and the single BGE interface that connects to the other node for the Sync connection. Under this, it shows the teo virtual interfaces for internal and external. The thing I'm wondering about is that in SmartView monitor, is I select "more" on ClusterXL and scroll down. It says "Clustering started:no". This seems to contradict all the other information that says that it is indeed working.

Thanks for your time

[mmoret]

In the Smartview Monitor on our site it also says clustering started: no.
Bug?

Could you post the output of cpahprob state on both nodes?
Along with netstat -rnv?

Regards
Martijn

[djmachin]

Thanks for your reply mmoret. That makes me feel a bit better. At least it says the same and yours is working fine.

Attached is the output from each node for the two commands mentioned:


Thanks for your time.
Dave

[mmoret]

Your setup looks like mine, except my routing table is a bit bigger.

A few questions/remarks:
Your private (secure) network is 11.0.11.0?
If so, make sure it is added to Global Properties -> Non Unique IP Address ranges as these are registered ip addresses (or you must be the owner of this range)
If you want to be able to have access from the standby node to the internet, you must set Global Properties -> Firewall -> accept outgoing packets originating from the gateway.

After modifying these settings, you must install the policy on the cluster nodes.

If you have any questions, please feel free to ask.

Martijn

[pop_alex]

Hi,

Mine is 10.1.0.0 / 24. Do I need to put it into Non-unique IP address range also? Eventhough I'm using OPSEC load-balance product instead of ClusterXL? I just use state sync only.

Regards,

Al

[mmoret]

What OPSEC software do you use?

My setup is with CLusterXL.

Regards
Martijn

[pop_alex]

Hi,

Mine is RainWall 3.1 SP5 R1.

Regards,

Al

[Gavrilo]

This may help some of you to solve cluster problems.

I have done the NGX courses and noted they are vague, just like Check Point is vague. However, a couple of things I have learned are:

1. SPLAT R60 has problems detecting certain Intel Interfaces - upgrade to R61 which does this much better.

2. The SecurePlatform https connection may say your interfaces are up but double check this with SmartView Monitor which in my case said something different

3. SPLAT does some weird shit with interface designation. This confused the hell out of me at first but I discovered all my additional interfaces were designated the oposite to what I expected i.e. Eth2 was Eth7 andd Eth3 was Eth6 etc.

If someone can explain poit 3 I would be grateful.

Regards

Gavrilo

[djmachin]

Right, I've been looking at this problem more closely and I think it is an ARP related problem.

Running snoop on node "A" with a ping going to an external website when I have connectivity gets the following on node "A":
Translated External IP----->External website
External website------>Translated External IP
Translated External IP----->External website
External website------>Translated External IP


and so on.

If I fail over to node "B" I get the following on node "B":
Translated External IP----->External website
Translated External IP----->External website
Translated External IP----->External website

and on node "A":
External website------>Translated External IP
External website------>Translated External IP
External website------>Translated External IP

I have manual ARP set with the external interface MAC address and the corresponding translation in R60 on each node.

Is there anything I can do to get around this. I have disabled "Automatic Proxy ARP" in Global Properties in case you were wondering.

Thanks for you time
Dave Machin

[djmachin]

I managed to sort it out in the end. I hadn't fully understood how to use "Proxy ARP" in NGX. I have now started to use the "NAT" tab in the host node to do the automatic address translation to create the translation rules and not used manual ARP at all (which I never should have done in the first place). The cluster fails over fine now and the ARP/routing works as expected.

Thanks for all those who tried to help.

[varera]

just a remark. you are not using ClusterXL, and for that I would check how the cluster object is defined. ARP and virtual IP designation should be handled by your clustering mechanism. What did you state in the object def, Cluster XL or "third party cluster"?