Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 3

MWG HA and LB 7.1.3


I manage MWG cluster (5xwg5500). It works in Proxy HA mode.

All of machines are connected to 2 different network segments (internal net and external net). These network segments are on two independent pair of switches. 

Internal interfaces of all appliances are connected to internal network through 2 switches (2 mwg to one switch and 3 mwg to another switch)

also, external interfaces of all appliances are connected to external network through 2 switches (2 mwg to one switch and 3 mwg to another switch).

there is also additional network, dedicated to mwg flows and this network is connected to appliances through external switches (2 mwg to one switch, 3 mwg to second switch).

Two appliances are working also as directors. Virtual IP is an ip address of internal network. VRRP interface is interface connected to this third, additional network through external pair of switches.

Management ip addresses belongs to external network.

In this scenario, breakdown one of the internal switch causes a partially production outage, becouse active director can see all of scanners active(through external network) and directs flows to them.

I tested this scenario in test environment and behavior was similar.

mfend-lb -l shows that all scanners are OK. mfend-lb -s shows that some flows are directed to proxy which has internal network disconnected and all of these flows fails.  

The question is that, is there any soloution to monitor multiple network segments, and turn off a service on appliance on which one of network interface goes down.



Message was edited by: shprot
I have added some kind of diagram. i hope it could be helpful.  on 5/9/13 2:06:57 AM CDT
2 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: MWG HA and LB 7.1.3

Hi Shprot,

Thank you for the details. I may need further clarification but I'll give it a shot.

Is there a reason to not have the VRRP interface / management IP be eth0 instead of the external interface (eth1/eth2)? Reason being is that the health check / VRRP communication would still be happening and the no new MWG needs to take over. This is why things failed on the client side (rather than external side).



Level 7
Report Inappropriate Content
Message 3 of 3

Re: MWG HA and LB 7.1.3

Hi Jon,

Thank You for your suggestions. In test environment, I have moved VRRP interface on eth0 and changed ip addresses of management interfaces to eth0 network address pool.

In this scenario breakdown of switch-int-2 doesn't cause any production outage, hovewer breakdown of switch-ext-1 or switch-ext-2 does.

I think that very similar situation was described in this thread

Have you got any further solution to avoid production outage during network phisical layer problem in redundant environments ?



Message was edited by: shprot on 5/13/13 4:57:21 AM CDT
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community