interface monitoring for failover in clusterXL

[sebastan_bach]

hi all i am trying to find out that whether cluster XL sends keep alive ccp packets along the data interfaces i mean the internal and external interface like in cisco failover

cause when i was labbing it up i disconnected a internal interface on the switch of the active firewall still no failover happenend.

is interface monitoring disabled by default in clusterXL. i read a document which states we need to enable interface monitoring for the interface. i mean it;s bad the basic purpose of failover should be to track the state of the data interfaces and it should be tracked by default.

can someone pls tell me what is the address to which the ccp packets are send.

any kind of help on the same would be great.

regards

sebastan

[chillyjim]

CCP packets are sent on all cluster interfaces (If a trunk interface they are sent only on the lowest numbered vlan by default).

[sebastan_bach]

hi jim i am using vlans for my internal and external network on eth0 and sync on a dedicated interface eth1.

does clusterXL track the state of the vlan interface by default or do i have to enable it.

cause i tried removing the internal vlan on the trunk port of the switch but no failover happenend.

my failover only works when i create a critical device and report as problem.

i want when a vlan interface or a physical interface is down the failover should happen just like in other firewalls is this possible.

can u pls help me out.

thanks once again.

regards

sebastan

[chillyjim]

Only the lowest numbered VLAN is checked. I think there is a way to monitor additional VLANs but I don't know how off hand.

[sebastan_bach]

hi jim thanks a lot mate i will get the command from the documentation.

mate just one more query so if i am using physical internal and external interfaces then if a interface goes down failover should normally occur right without any additional configuration.

here since i am using vlans i will need to add additonal commands to get it working.

i feel these configuration options of the failover should been given via the gui . the splat cli is not user friendly and nor the switches of the commands are mentioned properly in the documentation.

waiting for ur reply mate.

thanks once again.

regards

sebastan

[chillyjim]

Quote:

Originally Posted by sebastan_bach

mate just one more query so if i am using physical internal and external interfaces then if a interface goes down failover should normally occur right without any additional configuration.

Yes that is correct

Quote:

here since i am using vlans i will need to add additonal commands to get it working.

Yes that is also correct

Quote:

i feel these configuration options of the failover should been given via the gui . the splat cli is not user friendly and nor the switches of the commands are mentioned properly in the documentation.

It is not a SPLAT configuration it is a kernel config. The parameter is "fwha_monitor_all_vlan"

As for adding this to the GUI, there isn't much call for it that I've seen.

How do other vendors handle it? I know PIX (<7) only monitored link state by default.

If monitoring all VLANs on a trunk port is on by default, how do you disable it with the other vendors?

Remember turning this on generates more traffic and in most cases will buy you very little.

[sebastan_bach]

hi jim thanks a lot for ur reply mate. mate i am running here into a problem i am not able to find the command for enabling monitoring of all the vlans here.

i could just find this command

fw ctl set int fwha_monitor_if_link_state 1. but this command is monitoring the state of the links.but since i am here using vlans i need the other command for enabling monitoring of vlans.

here i am running tcpdump on the firewall and i can see the ccp packets only on the sync and the vlan10 which is the lowest vlan . i am not able to see ccp packets on vlan 20 which is my external interface.

pls can u tell me where to find the command for doing the same.

thanks a lot for ur help.

waiting for ur reply.

regards

sebastan

[sebastan_bach]

hi jim i tried the command u mentioned in the post. it gives a error either the command or the argument is invalid. i guess i am missing more arguments to it. can u pls tell the complete command or the documentation to which i can refer too.

thanks waiting for ur reply.

regards

sebastan

[chillyjim]

It's a kernel option, not a CLI command. Look up how you modify $FWDIR/con/fwkern.conf (I think that's the file but I'm not sure).

[sebastan_bach]

hi jim u mean to say i need to modify the file and enter the syntax u wrote above to get it working.

pls help me out.

i been trying to get it working since many days.

waiting for ur reply.

regards

sebastan