Standalone HA/Load balancing with RainWall

[pop_alex]

Hi there, I hope somebody able to enlighten me with my queries about RainWall and H.A. thingy eventhough it might not be approriate to post question in this forum. :)

I just wonder.. Is it possible to set up a standalone firewall with HA/Load balancing mode first before bringing up another firewall to join as a cluster? I tried to configure HA mode via CPCONFIG utility after I had configured certain rules and cluster objects, but once I had enable the HA mode and did a reboot it suddenly unable to communicate with management server and unable to ping any machine in internal LAN except external network. I notice on my ce1 card stated below (during bootup)

Aug 19 12:07:37 saturno ip: [ID 856290 kern.notice] ip: joining multicasts > failed (3) on ce1 - will use link layer broadcasts for multicast.

I realized that this happened when I enable the HA mode.

Any solution about this? Is it a must to have another machine in order to create a cluster?

Thanks very much in advance.

Regards,

Al

[melipla]

I can't say for certain that it will work but I read some of the documentation on HA/Load Sharing...are you sure that your router/switch supports Multicast? The cluster XL docs says that you can enter the following on your router to test it:
some_unicast_mac_address 01:00:5e:xx:xx:xx

There's also a list of supported routers/switches on page 53 of the ClusterXL doc. Upon talking to our cisco engineers about a seperate but related issue today, I got the impression there was some setup needed to enable multicast on the switch.

HTH

[pop_alex]

Hi, our switch supports multicast. Oh by the way, I found out that when I enable the state synchronization/H.A via CPCONFIG, it effectively block the interface (e1) which in turns communications between enforcement and management server disconnected. I'm not able to ping to any machine on that private LAN including the management server.

This problem had gave me an impression that I must need two enforcement servers if I want to do state synchronization/H.A mode. Due to this, I turned off the state synchronization/H.A mode on enforcement server and everthing backs to normal. I just wonder, would it still working if I installs 3rd party H.A product like RainWall if I did not enable the state synchronization/H.A on standalone enforcement server?

Thanks in advance

[melipla]

Yes, you need two enforcement servers if you want to do HA. It may put the sync interface in (secure) mode by default, that could be why your connection stopped working once you enabled sync. Do you have a dedicated interface you can use for the sync network? It's highly recommended.

Also, you can switch to broadcast if you're having problems with multicast with this command:

cphaprob set_ccp broadcast
(to change back, use multicast instead of broadcast)

[pop_alex]

I do have a dedicated interface for sync network. When I enabled the H.A through CPCONFIG, it always block the interface (e1) where the DMZ lan is connected to. It doesn't go through the dedicated interface. I think I should enabled it after then second enforcement is ready.

:)