cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 3

HA Questions - failover does not work anymore

Jump to solution

Hi,

it is about two McAfee Firewalls 410F, Version 7.0.1.02, in HA, designate as primary/standby cluster.

The failover has always worked, but after a reboot totay, both firewalls ar not longer connect "in HA".

FW1                    169.254.200.2

FW2                    169.254.200.3

Failover-IP         169.254.200.1

Both FW are directly connected, with a patch cable. I have rebooted both systems repeatedly

======================================================

FW1

fw1-master:Admn {5} % cf cluster status

                        HA Cluster Status Information                       

                        =============================                       

Primary Host:        fw1-master.bcc.de                   

Primary IP Address:  169.254.200.2                          

Cluster Burb:        'failover'                             

Cluster Cert:        'Default_Enterprise_Certificate'       

Cluster CA:          'Default_Enterprise_CA'                

Member Name          State         IP Address    

-------------------- ------------- ---------------

fw1-master.bcc.de registered    169.254.200.2 

fw2-backup.bcc.de registered    169.254.200.3 

                      Policy and Peer Connection Status                     

                      =================================                     

fw1-master.bcc.de (primary)

--------------------------------

    Connection State  :  Localhost                              

    Policy Version    :  2112-1391709186.34-1391729592          

    FW Version        :  70102                                  

    Status            :  Up to date - Current                   

fw2-backup.bcc.de (peer)

----------------------------

    Connection State  :  Not Connected                          

    Last Dispatch     :  Never dispatched                       

    Policy Version    :  Unknown                                

    FW Version        :  70102                                  

    Status            :  Lost Connection

fw1-master:Admn {4} % ping 169.254.200.3

PING 169.254.200.3 (169.254.200.3): 56 data bytes

64 bytes from 169.254.200.3: icmp_seq=0 ttl=64 time=0.254 ms

64 bytes from 169.254.200.3: icmp_seq=1 ttl=64 time=0.223 ms

64 bytes from 169.254.200.3: icmp_seq=2 ttl=64 time=0.378 ms

64 bytes from 169.254.200.3: icmp_seq=3 ttl=64 time=2.465 ms

64 bytes from 169.254.200.3: icmp_seq=4 ttl=64 time=0.391 ms

-----------------------------------------------------------------------------------------------------------------

FW2

fw2-backup:Admn {3} % cf cluster status

                        HA Cluster Status Information                       

                        =============================                       

Primary Host:        fw1-master.bcc.de                   

Primary IP Address:  169.254.200.2                          

Cluster Burb:        'failover'                             

Cluster Cert:        'Default_Enterprise_Certificate'       

Cluster CA:          'Default_Enterprise_CA'                

Member Name          State         IP Address    

-------------------- ------------- ---------------

fw1-master.bcc.de registered    169.254.200.2 

fw2-backup.bcc.de registered    169.254.200.3 

                      Policy and Peer Connection Status                     

                      =================================                     

fw1-master.bcc.de (primary)

--------------------------------

    Connection State  :  Not Connected                          

    Last Dispatch     :  Never dispatched                       

    Policy Version    :  Unknown                                

    FW Version        :  70102                                  

    Status            :  Lost Connection                        

fw2-backup.bcc.de (peer)

----------------------------

    Connection State  :  Localhost                              

    Policy Version    :  2106-1391708111.25-1391729583          

    FW Version        :  70102                                  

    Status            :  Up to date - Current

fw2-backup:Admn {2} % ping 169.254.200.2 

PING 169.254.200.2 (169.254.200.2): 56 data bytes

64 bytes from 169.254.200.2: icmp_seq=0 ttl=64 time=0.409 ms

64 bytes from 169.254.200.2: icmp_seq=1 ttl=64 time=0.228 ms

64 bytes from 169.254.200.2: icmp_seq=2 ttl=64 time=0.239 ms

64 bytes from 169.254.200.2: icmp_seq=3 ttl=64 time=0.228 ms

Do you have a few helpful commandos or debugging options for me?

showaudit -e -k?

tcpdump?

Many thanks!

1 Solution

Accepted Solutions
Highlighted
Level 13
Report Inappropriate Content
Message 2 of 3

Re: HA Questions - failover does not work anymore

Jump to solution

Hello,

The "cf cluster status" is showing whether or not the policy synchronization is working or not (and in your case it is not). If you want to make sure HA failover is working properly, try running "cf cluster failoverstatus".

You might be running into an issue where the synchronization certificate has expired. Try taking a look at this kb:

http://kc.mcafee.com/corporate/index?page=content&id=KB75994

-Matt

View solution in original post

2 Replies
Highlighted
Level 13
Report Inappropriate Content
Message 2 of 3

Re: HA Questions - failover does not work anymore

Jump to solution

Hello,

The "cf cluster status" is showing whether or not the policy synchronization is working or not (and in your case it is not). If you want to make sure HA failover is working properly, try running "cf cluster failoverstatus".

You might be running into an issue where the synchronization certificate has expired. Try taking a look at this kb:

http://kc.mcafee.com/corporate/index?page=content&id=KB75994

-Matt

View solution in original post

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 3

Re: HA Questions - failover does not work anymore

Jump to solution

Hi Matt,

mtuma schrieb:

You might be running into an issue where the synchronization certificate has expired. Try taking a look at this kb:

http://kc.mcafee.com/corporate/index?page=content&id=KB75994

-Matt


This was the problem, great! Thanks for your help!!!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community