Secure One Services Group

 View Only
  • 1.  ProxySG | Please recommend about Failover

    Posted Jan 31, 2018 06:50 AM

    Dear All,

       i have question about Failover. My customer ask about they received mail alert from appliance. information following as below.

     

    2018-01-22 10:21:46+07:00ICT  "Failover: State changed from 'BACKUP' to 'MASTER' for group '10.0.1.201'"  0 4B0005:96 Mailed sgrp_worker.cpp:473

    2018-01-22 10:21:47+07:00ICT  "Failover: State changed from 'MASTER' to 'BACKUP' for group '10.0.1.201'"  0 4B0005:96 Mailed sgrp_worker.cpp:473

     

    this event just one second for state change happened. they check on switch network don't have any issue on that time.

    or this event happened because appliance have process for check connection between Master and Backup. please recommend about this event.

     

    thank you so much for your help.

     

    Best Regards,

    Chakuttha R.



  • 2.  RE: ProxySG | Please recommend about Failover

    Posted Jan 31, 2018 10:27 PM

    Hi Chakuttha,

     

                   Failover happens when the device fail to receive the multicast from the current MASTER x 3 times the time interval set. The messages seems to be from Backup device. Can you check on what is set as the interval in the failover for both Master and Backup. Share a screenshot of the Failover settings if possible from both.



  • 3.  RE: ProxySG | Please recommend about Failover

    Broadcom Employee
    Posted Feb 01, 2018 03:30 PM

    Howdy Chakuttha! This KB article provides some more details about failover, including some timing:

     

    https://support.symantec.com/en_US/article.TECH241845.html



  • 4.  RE: ProxySG | Please recommend about Failover

    Posted Feb 02, 2018 12:05 AM

    Hi Chakuttha,

     

                  Can you post the Failover configuration of the other proxy too? Also I have sent you a private message. Do check that



  • 5.  RE: ProxySG | Please recommend about Failover

    Posted Feb 02, 2018 02:21 AM

    Thank you so much for your recommend.

    about failover setting please see from below;

    CT
    !- BEGIN networking
    interface 0:0 ;mode
    ip-address 10.0.1.203 255.255.255.0
    exit
    virtual-ip clear
    virtual-ip address 10.0.1.201
    virtual-ip address 10.0.1.202
    failover ;mode
    create 10.0.1.201
    edit 10.0.1.201
    multicast-address 224.0.0.201
    master
    interval 5
    enable
    exit
    create 10.0.1.202
    edit 10.0.1.202
    multicast-address 224.0.0.202
    interval 10
    enable
    exit

    exit
    ip-default-gateway 10.0.1.1 1 100
    dns-forwarding ;mode
    edit primary
    clear server

    exit



  • 6.  RE: ProxySG | Please recommend about Failover

    Posted Feb 02, 2018 02:25 AM

    Dear Aravind,

      Failover Configuration  both of Proxy please see from attach files.

     

    Attachment(s)

    txt
    AZAY_Proxy1_0.txt   477 B 1 version
    txt
    AZAY_Proxy2_0.txt   479 B 1 version


  • 7.  RE: ProxySG | Please recommend about Failover
    Best Answer

    Posted Feb 02, 2018 02:40 AM

    Hi Chakuttha,

     

                    The configuration is identical and is the expected way. Since the timeout for "10.0.1.201" is set as 5 seconds on both, the BACKUP will wait for 5 x 3 = 15 seconds for receiving multicast packet from MASTER. If there is none for 15 seconds, it will start acting as MASTER. For the eventlog entry you have given, these seems to be missing multicast for 15 seconds and just after the BACKUP turned to MASTER, the multicast packet reached. This then made the device to go back to BACKUP state again. If this is only happened one time, then it can be ignored. Possibly the multicast packet got lost for some reason. If this flapping is happening very frequently, then we me need to find whether the multicast packet is getting dropped frequently or not. Do check the eventlog of the BACKUP device to see whether the issue is happening now also or not.



  • 8.  RE: ProxySG | Please recommend about Failover

    Posted Feb 02, 2018 03:51 AM

    The main headache with failover is the network between the ProxySG's. Some networks manage to loose the multicast packets and then you will see similar issues.

    To investigate I suggest you do a packet capture on the multicast IP address over a long period and check if you miss updates there. Do this on ALL nodes of a failover group.



  • 9.  RE: ProxySG | Please recommend about Failover

    Posted Feb 04, 2018 10:29 PM

    packet capture use function on Proxy and filter only Multicast IP right ?



  • 10.  RE: ProxySG | Please recommend about Failover

    Posted Feb 05, 2018 11:48 PM

    Hi Chakuttha,

     

                   Yes, you can set the filter "ip host 224.0.0.201" to capture the traffic over this multicast address which for the VIP 10.0.1.201. You will have to run this on both the proxies at the same time. Start the capture and wait till the failover to happen. Stop the pcap and in that you might be able to find missing multicast packets



  • 11.  RE: ProxySG | Please recommend about Failover

    Posted Feb 06, 2018 11:36 AM

    Thank you so much