1 Reply Latest reply on Jun 14, 2011 1:08 AM by wcoetsee

    Proxy HA Architecture behind FW with Layer2

      Hi All,

       

      I have another requirement from my implementation using two MWG 4500 running v7.2. One MWG in main data centre and other at DR site. My design included the following:

       

      - Each MEG using x3 NICs

           - eth0 > Management directly connected into management L3 vlan internally (no FW rules required)

           - eth1 > Production (proxy port) sitting behind McAfee Sidewinder FW in DMZ using L2 Vlan, the VIP would also be in this vlan and required FW rules created allowing proxy traffic through

           - eth3 > Heartbeat for proxy HA also using L2 Vlan (not behind FW)

       

      - Customers have their Internal network sitting behind dual (clustered) McAfee Enterprise Sidewinder FW's with numerous DMZ for services followed by Internet breakout.

       

      Now I configured the solution as such but experiencing problems with HA testing. I have feeling this might be because of ARP issues (Cisco shop). Proxy services work fine but as soon as I force HA scenario by dropping eth1 on primary sites MWG or rebooting the MWG for that matter the proxy access stops or telnetting to VIP on port 80 (in this case) doesn't work. When have look on switching infrastructure I can see that main (one being rebooted) MWG still contains the MAC entry for VIP and not the DR MWG.

       

      Any ideas?

       

      thanks,

      Werner

        • 1. Re: Proxy HA Architecture behind FW with Layer2

          Ok just update. So tested and figured the above might not work that well. I decided to can "eth3" the layer 2 heartbeat interface. And I setup eth0 as management only and eth1 as PROD including the VIP and heartbeat. Set Director priorities to 99 and 98. Now when I restart the mfend services in 2nd GW the HA works fine for about 30sec and then it breaks and gives below error: Any ideas???

           

          [blah1]

           

          mfend-lb -s
               device: blah1

          statechange:
                   ip: 1.1.1.100
                  ip6: ::
            protocols: 00000001
                  mac: xxxxxxxxxxxxx

                state: NETWORK
                stats: 0 0 47 0 0
          statusvalid: 1
                 type: director

               device: __SELF__
          statechange: 1308030961 (Tue Jun 14 15:56:01 2011)
                   ip: 0.0.0.0
                  ip6: ::
            protocols: 00000001
                  mac: xxxxxxxxxx

                state: OK
                stats: 0 0 11 0 -1
          statusvalid: 1
                 type: scanning

               device: blah2
          statechange: 1308031214 (Tue Jun 14 16:00:14 2011)
                   ip: 1.1.1.200
                  ip6: ::
            protocols: 00000001
                  mac: xxxxxxxxx
                state: FAULT
          statusvalid: 1
                 type: redundant

           

           

           

           

          [blah2]# mfend-lb -s
               device: blah2

          statechange:
                   ip: 1.1.1.200
                  ip6: ::
            protocols: 00000001
                  mac: xxxxxxxxxx
                state: REDUNDANT
          statusvalid: 1
                 type: redundant

               device: __SELF__
          statechange: 1308031201 (Tue Jun 14 16:00:01 2011)
                   ip: 0.0.0.0
                  ip6: ::
            protocols: 00000001
                  mac: xxxxxxxxxx

                state: OK
                stats: 0 0 0 0 0
          statusvalid: 1
                 type: scanning

               device: blah1

          statechange: 1308024536 (Tue Jun 14 14:08:56 2011)
                   ip: 1.1.1.100
                  ip6: ::
            protocols: 00000000
                  mac: xxxxxxxxxxxxx
                state: NETWORK
                stats: 0 -32 0 0 0
          statusvalid: 1
                 type: director