ClusterXL not working when failed over

[djmachin]

This is releated to the previous post about ClusterXL in HA mode not working.

We have R60 (HFA03) on two Sun Fire V210's running Sparc Solaris 9.

If I have both nodes (A and B) powered off and power A up and then B, I can get on the internet. If I fail over to node B (using "Stop Member" on SmartView Monitor) I cannot get on the internet from the single laptop connected to the internal interface. If It then cpstart node A and fail it back to A, the laptop can get on the internet fine.

Now if I power both off and start this time with node B, the same pattern follows with the internet always available on node B.

I am using a 10Mb hub for the external interfaces and a Dell PowerConnect 3324 for the internal facing interface. I did initially try a 3COM 3300 switch on the external facing interfaces. I changed to the hub after thinking that it was the switch caching the ARP entry. That does not seem to be the cause of the problem as it is still the same after the swap out.

I have a manual ARP entry (automatic proxy ARP disabled) on each node with the MAC address of the external interface. I also have a single hiding translated rule for the internal network to go out on the internet.

Can anyone suggest anything that seems wrong or is there anything I can try to try and fix this problem?

Thanks to all for your time.
Dave

[chillyjim]

Quote:

Originally Posted by djmachin

I have a manual ARP entry (automatic proxy ARP disabled) on each node with the MAC address of the external interface. I also have a single hiding translated rule for the internal network to go out on the internet.

Why are you not using automatic proxy arp? I suspect that's part of the issue as ClusterXL depends on being able to control the proxy arp.

[djmachin]

Thanks for your reply.

As I understand it, Automatic Proxy ARP is only activated if you used Automatic NAT. As we will be using manual NAT with a corresponding routing table on each node, I thought I may as well disable the Automatic Proxy ARP. If this is wrong then please feel free to correct me.

Thanks
Dave

[Error404]

You have to DISABLE the automatic proxy arp feature if you use manual arping.

global Properties -> NAT -> Automatic ARP configuration (uncheck this option)

If you do not so, you will have to merge the "automatic arp table" with the manual even if you are not using any automatic arp entries.

See also SK#30197 for the problem

[scottlsattler]

also I remember seeing something about if your devices do not support gratitous arps fail over will not work.

[Version1]

Were you able to find out what the issue was? I have seen the same problem after an upgrade to R60 on Secure Platform.

[tolu60]

I had a similar problem initially, but turned out that I had the wrong cabled connected to to the wrong interface... also you may want to check the routing table on the cluster members if the cluster addresses are on different subnets to the member interface.
The problem I'm having now (if anyone else has experienced it) is that I'm not able to establish VPN tunnel using SecureClient.
My configuration is this: 6 interfaces on both cluster members, 2 DMZ, 1 synch, 2 external (internet for redundancy), and 1 for internal lan... all cluster member interfaces are on different subnest to the cluster (virtual) addresses with the exception of the internal interface. Internal is on 192.168.50.x which is also same subnet as the cluster IP for that interface...
The strangest thing is I can establish VPN tunnel when I'm on the 192.168.50.x subnet, but not from the internet. I'm guessing this is to do with the internet cluster IP and the member interfaces being on different subnets, but can't quite figure it out. Hope this makes sense?

[djmachin]

We managed to get it working in the end. Using manual NAT in Smart Dashboard was a no go. I needed to do the NAT within each object so that it could use the automatic proxy ARP. After I did that the fail-over started to work fine every time. The main problem was getting my head round the different way of doing the address translation. In our old single FP3 box we did a security policy, address translation and an ARP/Routing table within the OS itself. Using the ClusterXL way just meant that we had to change the way we did things.

[hono222]

Hi,
Sorry to post this here I didn't know where else to post it. Perhaps someone can tell how to post a new message. Anyway the real problem is this:

On Friday of last week we had a power outage since then ALL of the internal virtual ips periodically time out. Like a hiccup. Has anyone had this problem?

Your help would greatly be appreciated.

Thanks