cancel
Showing results for 
Search instead for 
Did you mean: 
wcoetsee
Level 7

Proxy HA Architecture behind FW with Layer2

Hi All,

I have another requirement from my implementation using two MWG 4500 running v7.2. One MWG in main data centre and other at DR site. My design included the following:

- Each MEG using x3 NICs

     - eth0 > Management directly connected into management L3 vlan internally (no FW rules required)

     - eth1 > Production (proxy port) sitting behind McAfee Sidewinder FW in DMZ using L2 Vlan, the VIP would also be in this vlan and required FW rules created allowing proxy traffic through

     - eth3 > Heartbeat for proxy HA also using L2 Vlan (not behind FW)

- Customers have their Internal network sitting behind dual (clustered) McAfee Enterprise Sidewinder FW's with numerous DMZ for services followed by Internet breakout.

Now I configured the solution as such but experiencing problems with HA testing. I have feeling this might be because of ARP issues (Cisco shop). Proxy services work fine but as soon as I force HA scenario by dropping eth1 on primary sites MWG or rebooting the MWG for that matter the proxy access stops or telnetting to VIP on port 80 (in this case) doesn't work. When have look on switching infrastructure I can see that main (one being rebooted) MWG still contains the MAC entry for VIP and not the DR MWG.

Any ideas?

thanks,

Werner

0 Kudos
1 Reply
wcoetsee
Level 7

Re: Proxy HA Architecture behind FW with Layer2

Ok just update. So tested and figured the above might not work that well. I decided to can "eth3" the layer 2 heartbeat interface. And I setup eth0 as management only and eth1 as PROD including the VIP and heartbeat. Set Director priorities to 99 and 98. Now when I restart the mfend services in 2nd GW the HA works fine for about 30sec and then it breaks and gives below error: Any ideas???

[blah1]

mfend-lb -s
     device: blah1

statechange:
         ip: 1.1.1.100
        ip6: ::
  protocols: 00000001
        mac: xxxxxxxxxxxxx

      state: NETWORK
      stats: 0 0 47 0 0
statusvalid: 1
       type: director

     device: __SELF__
statechange: 1308030961 (Tue Jun 14 15:56:01 2011)
         ip: 0.0.0.0
        ip6: ::
  protocols: 00000001
        mac: xxxxxxxxxx

      state: OK
      stats: 0 0 11 0 -1
statusvalid: 1
       type: scanning

     device: blah2
statechange: 1308031214 (Tue Jun 14 16:00:14 2011)
         ip: 1.1.1.200
        ip6: ::
  protocols: 00000001
        mac: xxxxxxxxx
      state: FAULT
statusvalid: 1
       type: redundant

[blah2]# mfend-lb -s
     device: blah2

statechange:
         ip: 1.1.1.200
        ip6: ::
  protocols: 00000001
        mac: xxxxxxxxxx
      state: REDUNDANT
statusvalid: 1
       type: redundant

     device: __SELF__
statechange: 1308031201 (Tue Jun 14 16:00:01 2011)
         ip: 0.0.0.0
        ip6: ::
  protocols: 00000001
        mac: xxxxxxxxxx

      state: OK
      stats: 0 0 0 0 0
statusvalid: 1
       type: scanning

     device: blah1

statechange: 1308024536 (Tue Jun 14 14:08:56 2011)
         ip: 1.1.1.100
        ip6: ::
  protocols: 00000000
        mac: xxxxxxxxxxxxx
      state: NETWORK
      stats: 0 -32 0 0 0
statusvalid: 1
       type: director

0 Kudos