Nortel 5111 Clustering HA with R62

[brijesh_techno]

Hi,

We had NSF 5111 on R62 in cluster HA, unfortunatly one of the box(FW2) went faulty and now new box has arrived. Ti join new box in cluster what are the steps involved?

HA configuration is such a way that my FW1(Firewall 1) will be always preferred master. Currently FW1 is up and fine and all the traffic is flowing via FW1 only.

We have tried to join the new box (FW2) by factory defaulting FW2 and then join but we are getting error after putting FW2 IP, MIP and admin password
"Unable to contact the system"

At the time of joining its asking following:-

[Setup Menu]

clone - Clone the configuration
join - Join an existing cluster
new - Initialize host as a new installation
boot - Boot menu
info - Information menu
exit - Exit [global command, always available]

>> Setup# join

Setup will guide you through the initial configuration of the Firewall.

Enter port number for the management interface [1-6]: 1

Enter IP address for this machine: 1.1.1.2

Enter network mask [255.255.255.0]:

Enter VLAN tag id (or zero for no VLAN) [0]: 0

The system is initialized by connecting to the management server

on an existing Firewall, which must be operational and initialized.

Enter the Management IP (MIP) address: 1.1.1.3

Enter the existing admin user password:

...Error:
Unable to contact the system

Please note that I am putting existing admin user password for Firewall 1 which is currently working and master.

1.1.1.1 -- FW1 management interface IP

1.1.1.2 -- FW2 management interface IP

1.1.1.3 -- MIP for the cluster

Please let me know if I am correct.

[ngsud]

Hi ,

I am not sure how 5111 work as we have 6426 or 6626 Cluster , However you can give it a try .

One way is to login to your fw1 and go to /cfg/pnp/list will give you the cluster member IP address , if you see your fw2 there then del it and app and then again add the same . Make sure when you are adding this the second box should not be connected , apply the settings and then try repluging the second box and see whether its able to join automatically or not , if not then power cycle the second box .

Otherway is the one which you are trying but if possible then try issuing the command /maint/diag/unldplcy that will unload the current policies from the fw1 and then try rejoing the same with the process which you described in your problem . remember that will cost you downtime for sometime . Also verify that you have allowed the firewall network in /cfg/sys/accesslist/ .

Regards,
Sudhir

[shridhar76]

Hi,

Hey just check the sync cable on both directors. Which should be on another netwok range.

Thanks
shridhar

Hi,

We had NSF 5111 on R62 in cluster HA, unfortunatly one of the box(FW2) went faulty and now new box has arrived. Ti join new box in cluster what are the steps involved?

HA configuration is such a way that my FW1(Firewall 1) will be always preferred master. Currently FW1 is up and fine and all the traffic is flowing via FW1 only.

We have tried to join the new box (FW2) by factory defaulting FW2 and then join but we are getting error after putting FW2 IP, MIP and admin password
"Unable to contact the system"

At the time of joining its asking following:-

[Setup Menu]

clone - Clone the configuration
join - Join an existing cluster
new - Initialize host as a new installation
boot - Boot menu
info - Information menu
exit - Exit [global command, always available]

>> Setup# join

Setup will guide you through the initial configuration of the Firewall.

Enter port number for the management interface [1-6]: 1

Enter IP address for this machine: 1.1.1.2

Enter network mask [255.255.255.0]:

Enter VLAN tag id (or zero for no VLAN) [0]: 0

The system is initialized by connecting to the management server

on an existing Firewall, which must be operational and initialized.

Enter the Management IP (MIP) address: 1.1.1.3

Enter the existing admin user password:

...Error:
Unable to contact the system

Please note that I am putting existing admin user password for Firewall 1 which is currently working and master.

1.1.1.1 -- FW1 management interface IP

1.1.1.2 -- FW2 management interface IP

1.1.1.3 -- MIP for the cluster

Please let me know if I am correct.

[clickmesri]

The same issue occurring here.

Does anybody successfully joined the secondary box in cluster ??

Please share the procedure to follow the process.....

[clickmesri]

Had bad experience with Nortel ASF 5111

• Primary Firewall (172.16.68.24) was running up in the network
• Tried to join secondary firewall (172.16.68.25) in cluster with primary but error occurred “Unable to contact system”
• Changed secondary firewall IP as 172.16.68.22 which brought FW2 in cluster but received error pertaining to old IP (172.16.68.25) on console.
• To avoid the conflict & complexity, removed old 172.16.68.25 on FW1, post which FW1 started malfunctioning. Traffic/Services were impacted and observed ports were flapping between UP & DOWN states.
• Post discussing with customer, we tried to configure FW2 manually. During which, the MGMT server was unreachable from gateway. The traceroute path was leading to external (outside) segment instead Internal. This was seemed like software bug.

we taken customer approval to configure checkpoint on desktop having 3 NICs. same was installed @ network after having huge DT