We're in the process of moving into the IPv6 world. I need to enable v6 on the interfaces of our cluster. We have (2) 4016s firewalls in an Active/Passive cluster.
The other night i tried to enable IPv6 on the "internal" interface only to be greeted with a message saying that IPv6 cannot be enabled on the heartbeat zone. I then had to change the heartbeat zone from the "Internal" interface to another interface, in this case another much-less used interface. When i changed the heartbeat zone, i got a warning message saying that the firewalls would need to reboot to make the changes. I clicked OK only to find that the firewalls never rebooted. It seems, however, that the zone was changed anyway.
After this change, the passive firewall wont connect to the admin console. I checked the CLI via our KVM, and it's just fine. I'm also able to SSH to it. I rebooted the fw through SSH this morning; that made no difference. I can ping the firewall too. It simply wont connect via the admin console. The message in the console reads:
"This firewall is not available due to either an intentional system shutdown or a failed connection attempt. You must reconnect to obtain configuration information from this firewall."
Can someone help me fix this issue? I'm at a loss right now.
Oh i would have already, but our license renewal has been held up in the Purchasing dept for far too long.
Scratch that. I just submitted a service request.
i've sorted out the cluster issue yesterday (Sunday.) Here are the steps necessary to fix the cluster:
1. Remove the Secondary fw from the cluster in the HA window
2. Change Primary fw to Standalone
3. Enable IPv6 on both firewall's Internal interfaces, configure, save.
4. Enable IPv6 on External interface. I have not yet configured.
5. Run Cluster Wizard on Primary; create cluster, configure IPs, heartbeat zone, etc.
6. Remove all 'alias' IPs from Secondary fw. Only 'primary' IPs should be configured. When joining to an existing cluster, config will copy from Primary to Secondary
7. Run Cluster Wizard on Secondary. Join existing Cluster. Use the Primary's primary Heartbeat Zone IP address.
Now that i have my cluster re-created, and IPv6 enabled, the VPN to our remote location broke. Nothing has been modified with the VPN Definitions and it is still set to use v4, not v6. I'm assuming that enabling IPv6 somehow broke the connection. The remote firewall doesnt have v6 enabled.
Can anyone shed some light on how to go about re-enabling the VPN connection between the two firewalls?
I was able to fix our VPN connection last week. Turns out it was an oversight on my part when the cluster was recreated.
When the cluster was re-created, the Primary and Clustered external IPs were reordered in the list. I learned that this list is hierarchical, so certain connections will grab the 1st IP address in the list. Well, that 1st IP was used for a website, not the VPN. I reordered the IP list, but that still didnt quite fix the VPN.
Next, I went into the VPN properties and manually specified the external IP address that the VPN should use instead of the default "localhost."
So that fixed it. Case closed.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center