cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How can I monitor the status of the interface on a ERC cluster?

Jump to solution

HI all,

I've just configured 2 ERC in cluster and it seems that the cluster doesn't check the status of the data/mgmt interface : if I try to reboot the primary, the secondary becomes active after few seconds, while insted if I try to disconnect the data or the mgmt port, it doesn't switch and the primary (whit the two interface disconnected) mantains the VIP/eth1 interface active.

Is this behavior a normal? Do I have to enable this check enabling the check of the interface somewhere in the configuration??

Thanks in advance,

Mauro

1 Solution

Accepted Solutions

Re: How can I monitor the status of the interface on a ERC cluster?

Jump to solution

We opened a ticket and the support has worked developing a new fix.

The latest fix here

https://kc.mcafee.com/corporate/index?page=content&id=KB76668&cat=CORP_ADVANCED_CORRELATION_ENGINE&a...

has solved this issue

rerards,

Maur

View solution in original post

9 Replies

Re: How can I monitor the status of the interface on a ERC cluster?

Jump to solution

Speaking with engineering on this, unplugging the management ports is not sufficient to cause a failover because they have a heartbeat interface and that would still see the REC as up. when you power off the primary the secondary should failover and come online as primary and then your old primary should come up as secondary.

if you think that unplugging the management interfaces should be enough for a failover below is a link where you could log a PER for this request and you would be in contact with our PM group about it.

McAfee Product EnhancementRequests: https://mcafee.acceptondemand.com/index.jsp

Re: How can I monitor the status of the interface on a ERC cluster?

Jump to solution

Hi Aaron,

this ERC cluster has two usable interfaces: one interface dedicated to the mgmt (eth0) and the other (eth1) used as a shared data interface for the data traffic coming from all the log sourcers. I think that there must be a failover if  -at least- the data (eth1) interface goes down.

Thanks for your help,

Mauro

Re: How can I monitor the status of the interface on a ERC cluster?

Jump to solution

Hi,

Below is what I have found:

If we lose link on eth1, it should fail-over to the other machine. This is not a fast fail-over, it may take a couple of minutes before we are convinced that the link is truly lost.  If we lose the mgmt link, it will not fail-over because in most cases, it is still collecting data and the ESM has a good chance of being able to connect through the other interface.

Let me know if this answers your question or if you have other questions.

Re: How can I monitor the status of the interface on a ERC cluster?

Jump to solution

HI Aarron,

ok, I'll try to wait more time the next time, but the last one I've waited 2-3 minutes (maybe 5)  and the failover didn't work. Where did you find these informations?

I've tryed to search some informations on how the ERC cluster should works, but I dind't find many...

Best regards and thatnks for the support,

Mauro

Re: How can I monitor the status of the interface on a ERC cluster?

Jump to solution

Today I tried to disconnect the eth1 waiting  something like 10 minutes, but the failover didn't work. It seems that it works only rebooting the primary or disconnecting the heartbeat interface 😞 ....

Does anyone ever tried the failover disconnecting this shared interface (eth1)?

Thanks in advance,

Mauro

Message was edited by: maurovezz on 12/17/12 3:05:17 PM CST

Re: How can I monitor the status of the interface on a ERC cluster?

Jump to solution

I will follow up with our engineer about this, but this may be a case where you may need to either call our number or create a case for further investigation. I will respond with the engineers comments.

Re: How can I monitor the status of the interface on a ERC cluster?

Jump to solution

HI Aaron,

ok, thanks. Please noticed that we have the same behaviour both on a 1250 and 2600 ERC cluster...

best regards,

Mauro

Re: How can I monitor the status of the interface on a ERC cluster?

Jump to solution

Speaking with engineers they say it has been tested and at this point we would need to start collecting data from you so it may be best to log a case with us. include the version of both ESM and REC's you can get this by sshing to the device and typing: cat /etc/buildstamp

then if you could ssh to each of the HA pairs and get the /var/log/ha_nicmon.log from them that way we can further investigate this.

Re: How can I monitor the status of the interface on a ERC cluster?

Jump to solution

We opened a ticket and the support has worked developing a new fix.

The latest fix here

https://kc.mcafee.com/corporate/index?page=content&id=KB76668&cat=CORP_ADVANCED_CORRELATION_ENGINE&a...

has solved this issue

rerards,

Maur

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community