Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
607 Views 2 Replies Latest reply: May 13, 2013 4:56 AM by shprot RSS
shprot Newcomer 4 posts since
May 7, 2013
Currently Being Moderated

May 9, 2013 2:06 AM

MWG HA and LB 7.1.3

Hello,

I manage MWG cluster (5xwg5500). It works in Proxy HA mode.

All of machines are connected to 2 different network segments (internal net and external net). These network segments are on two independent pair of switches. 

Internal interfaces of all appliances are connected to internal network through 2 switches (2 mwg to one switch and 3 mwg to another switch)

also, external interfaces of all appliances are connected to external network through 2 switches (2 mwg to one switch and 3 mwg to another switch).

there is also additional network, dedicated to mwg flows and this network is connected to appliances through external switches (2 mwg to one switch, 3 mwg to second switch).

Two appliances are working also as directors. Virtual IP is an ip address of internal network. VRRP interface is interface connected to this third, additional network through external pair of switches.

Management ip addresses belongs to external network.

 

In this scenario, breakdown one of the internal switch causes a partially production outage, becouse active director can see all of scanners active(through external network) and directs flows to them.

I tested this scenario in test environment and behavior was similar.

mfend-lb -l shows that all scanners are OK. mfend-lb -s shows that some flows are directed to proxy which has internal network disconnected and all of these flows fails.  

 

The question is that, is there any soloution to monitor multiple network segments, and turn off a service on appliance on which one of network interface goes down.

 

regards,

Shprot

 

Message was edited by: shprot I have added some kind of diagram. i hope it could be helpful.  on 5/9/13 2:06:57 AM CDT
Attachments:
  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. May 9, 2013 4:44 PM (in response to shprot)
    Re: MWG HA and LB 7.1.3

    Hi Shprot,

     

    Thank you for the details. I may need further clarification but I'll give it a shot.

     

    Is there a reason to not have the VRRP interface / management IP be eth0 instead of the external interface (eth1/eth2)? Reason being is that the health check / VRRP communication would still be happening and the no new MWG needs to take over. This is why things failed on the client side (rather than external side).

     

    Best,

    Jon

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points