SNMP statistics are not shared between master and slave. SNMP managers have no failover
capabilities. Therefore both firewalls in a cluster need to be polled separately.
Logging
Log data will be coming from both master and slave. This means that the log receiver will have to
be configured to receive logs from both. It also means that all log queries will likely have to
include both master and slave as sources which will give all the log data in one result view.
Normally, the inactive unit will not be sending log entries about live traffic so the output should
look similar to that from one NetDefend Firewall.
Using Individual IP Addresses
The unique individual IP addresses of the master and slave cannot safely be used for anything
but management. Using them for anything else, such as for source IPs in dynamically NATed
connections or publishing services on them, will inevitably cause problems since unique IPs will
disappear when the firewall they belong to does.
The Shared IP Must Not Be 0.0.0.0
Assigning the IPv4 address 0.0.0.0 as the shared IP address must be avoided. This is not valid for
this purpose and will cause NetDefendOS to enter Lockdown Mode.
Failed Interfaces
Failed interfaces will not be detected unless they fail to the point where NetDefendOS cannot
continue to function. This means that failover will not occur if the active unit can still send "I am
alive" heartbeats to the inactive unit through any of its interfaces, even though one or more
interfaces may be inoperative.
However, by utilizing the NetDefendOS link monitoring feature, NetDefendOS can be configured
to trigger immediate HA failover on interface failure. This is discussed further in Section 11.6, “Link
Monitoring and HA”.
Changing the Cluster ID
Changing the cluster ID in a live environment is not recommended for two reasons. Firstly this
will change the hardware address of the shared IPs and will cause problems for all devices
attached to the local network, as they will keep the old hardware address in their ARP caches
until it times out. Such units would have to have their ARP caches flushed.
Secondly, this breaks the connection between the firewalls in the cluster for as long as they are
using different configurations. This will cause both firewalls to go active at the same time.
Invalid Checksums in Heartbeat Packets
Cluster Heartbeats packets are deliberately created with invalid checksums. This is done so that
they will not be routed. Some routers may flag this invalid checksum in their log messages.
Making OSPF work
If OSPF is being used to determine routing metrics then a cluster cannot be used as the
designated router.
If OSPF is to work then there must be another designated router available in the same OSPF area
Chapter 11: High Availability
835
To Next Page
Loading...
