2 Replies Latest reply on Mar 19, 2014 3:52 PM by jclear

    New Failover HA - Interfaces


      I am running 8.2.1 on two 2150F with the same NICs installed.   Presently one 2150F, "A", is operating standalone with no network link redundancy; with internal, external and  DMZ zones; and single Ethernet port in each.  The second 2150F, "B", has a fresh install.  I'd like to set up B with two port LAGs for each zone, then create a Failover HA cluster with A as the first member.  Then after B synchronizes, I want to failover to B so I can keep operating while I change A's interfaces to LAGs for maximum redunancy.


      So first question.  The PG says that, among other things, "number and types of interfaces" "must be configured identically on both firewalls before you configure HA".  If I take that literally, then it appears to invalidate my plan.  If I take a more liberal interpretation, will having identical zone/subnet connectivity suffice?   Also do the interface names need to match?  It's abundantly clear that the zone names and their index values must match, but I find I need more information about the interfaces.


      Second, the existing DMZ zone is going to be abandoned in the next few months, and there were no plans to have an active connection to B for it.  While B can be configured to have the zone and IP for that DMZ it's not planned to plug it in for logistical reasons.  Since there is no resulting decrease in redundancy for the old DMZ this was accepted.  But would this inactive port prevent B from ever becoming the active member if A failed?


      Also, is there any change to the answers for versions 8.3.1 or 8.3.2?  Or for 5032s?






      Message was edited by: jclear, to fix a typo on 3/12/14 1:40:11 PM CDT
        • 1. Re: New Failover HA - Interfaces

          You will not be able to make an HA pair out of these two firewalls as they have different interface 'types.'  The interface type is denoted by the 'entrytype' key in the 'cf interface query' output.  For HA pairs you can have entrytype=interface (standard interface), vlan, or nic_group (LAGG).  The entrytypes must match on each firewall so that the primary can push its configuration over to the secondary; it cannot push the Cluster IP information over to a secondary which does not have the same types of interfaces that it has itself.


          You must turn off 'Link monitoring' for any HA interfaces which are not being used (e.g. interfaces that are not plugged in).  If a secondary has an interface that is unplugged but has link monitoring enabled then that firewall will not take over if the primary goes down.

          • 2. Re: New Failover HA - Interfaces

            Thanks, that answered my questions.