We have three gateways in a cluster, two of which are configured in ProxyHA and have been replaced. The non-HA gateway is our backup and is not being replaced. I've already configured the two new HA proxies in a new cluster and they are working perfectly. Now I need to add the backup gateway to the new cluster.
I deleted the backup gateway from the old cluster. When I try to add it to the new cluster, it says "Join Cluster failed: only standalone nodes can join a cluster." No biggie, I just logged in directly to the non-HA gateway and it's showing that it still belongs to a cluster, which looks like the same cluster it was in. If I try to delete it from that cluster, it says it can't "because it is a user interface server". If I already deleted it from the cluster it belonged to, why does it keep itself in it's own cluster?
My question is, am I supposed to now delete the cluster completely from the backup gateway (click Cluster and then click Delete)? I'm just scared that somehow it is still linking the cluster data to the old cluster and if I delete it from the backup gateway then it is going to impact the old cluster, which I don't want to do because we have not switched production Internet traffic to the new gateways yet.
I've had to remove and rejoin clusters before when updating but never had to rejoin one of them to a whole new cluster. So now I'm just looking for some confidence that if I delete the cluster on the backup it will not impact the others. Thank you.
Hope you are doing well.
You can make a device standalone from MWG CLI using below steps:-
### MAKE STANDALONE FROM CLI ###
# Take Backup
/opt/mwg/bin/mwg-coordinator -B "file:in=ACTIVE,out=/opt/mwg/storage/backup_cache/default/temp_backup.backup"
# Restore backup with "options:cluster=standalone"
/opt/mwg/bin/mwg-coordinator -R "file:in=/opt/mwg/storage/backup_cache/default/temp_backup.backup;options:cluster=standalone"
Request you to then take GUI access of your new cluster-> Nvaigate to option Configuration->Appliance->Add/Join-> Select Add appliance and then check.
Thank you. I ran the commands and tried to add the appliance to the cluster. Now I get a new error:
"Add Appliance failed:
co_distribute_add_cluster_node: ssl failure on message socket 15 while sending request - last action: certificate verification"
Since this is very similar to the socket 14 error, I just exported the cert and key from the cluster and imported it into the backup gateway. Then tried to add it again and I get the same error. I restarted the proxy and same thing. Not sure it matters, but when I import the cert to the backup gateway, I provide the paths and password and click Import, the window goes away, but the nothing happens. The Save Changes button doesn't light up, there is no pop-up saying Import was successful, nothing. Not sure if that is expected behavior.
Any ideas or should I call in to support? Thank you.
Hope you are doing well.
Glad to hear that we made progress here after making suggested changes.
Certificate verification error means certificate used for central management is different between master node and the new node.
So if certificate used for central management is different between present master node and new node to be added the you will see certificate verification failed error as per below.
Add appliance failed: co_distribute_add_cluster_node: ssl failure on message socket 14 while sending request - last action: certificate verification. -- The Cluster CA was changed on your primary node while your secondary node is still making use of the default cluster CA. It's found under Configuration > Appliances tab > select Appliances (Cluster) > then Cluster CA will show up to the right. Verify that if you select this Cluster CA button 'McAfee Web Gateway Cluster CA' appears as the CA in use. If they are different, the CA in use on your primary node will need to be imported on your secondary node.
Request you to once take GUI access of node of your existing cluster and navigate to option Configuration-> Appliance-> Cluster CA-> Check what certificate is being used their.
When you navigate to option Configuration-> Appliances-> On the top it shows Cluster CA option.
You can download that certificate by navigating to option Policy-. Settings-> SSL Client Context with CA-> Export cert and key.
Import this same certificate on new node by navigating to option->Configuration-> Appliance-> Cluster CA-> Change CA.
Configuration -> Appliances -> ClusterCA (For further instructions please check the product guide of 7.7.2)
You can also create new cluster cert as per below links and get it applied to the nodes in your cluster if required.
You can also follow below link on how to generate a CM Cluster CA and import it in -> Configuration -> Appliances -> ClusterCA on both the devices and then try adding the devices and check:-
If you still need any further assistance on cluster cert then I would suggest to open a ticket with support.