5 Replies Latest reply on Sep 22, 2015 7:32 AM by jschweitzer

    Passive Firewall No Longer Connects in Admin Console

    jschweitzer

      We're in the process of moving into the IPv6 world. I need to enable v6 on the interfaces of our cluster. We have (2) 4016s firewalls in an Active/Passive cluster.

       

      The other night i tried to enable IPv6 on the "internal" interface only to be greeted with a message saying that IPv6 cannot be enabled on the heartbeat zone. I then had to change the heartbeat zone from the "Internal" interface to another interface, in this case another much-less used interface. When i changed the heartbeat zone, i got a warning message saying that the firewalls would need to reboot to make the changes. I clicked OK only to find that the firewalls never rebooted. It seems, however, that the zone was changed anyway.

       

      After this change, the passive firewall wont connect to the admin console. I checked the CLI via our KVM, and it's just fine. I'm also able to SSH to it. I rebooted the fw through SSH this morning; that made no difference. I can ping the firewall too. It simply wont connect via the admin console. The message in the console reads:

       

      "This firewall is not available due to either an intentional system shutdown or a failed connection attempt. You must reconnect to obtain configuration information from this firewall."

       

      Can someone help me fix this issue? I'm at a loss right now.

       

      Thank you.

        • 1. Re: Passive Firewall No Longer Connects in Admin Console
          Peter M

          Moved to Enterprise Firewall

          ---

          Peter

          Moderator

          • 2. Re: Passive Firewall No Longer Connects in Admin Console
            sliedl

            My suggestion is to call into Support and open a ticket and we can do a remote session to figure this out.

            • 3. Re: Passive Firewall No Longer Connects in Admin Console
              jschweitzer

              Oh i would have already, but our license renewal has been held up in the Purchasing dept for far too long.

               

              Scratch that. I just submitted a service request.

              • 4. Re: Passive Firewall No Longer Connects in Admin Console
                jschweitzer

                i've sorted out the cluster issue yesterday (Sunday.) Here are the steps necessary to fix the cluster:

                 

                1. Remove the Secondary fw from the cluster in the HA window

                2. Change Primary fw to Standalone

                3. Enable IPv6 on both firewall's Internal interfaces, configure, save.

                4. Enable IPv6 on External interface. I have not yet configured.

                5. Run Cluster Wizard on Primary; create cluster, configure IPs, heartbeat zone, etc.

                6. Remove all 'alias' IPs from Secondary fw. Only 'primary' IPs should be configured. When joining to an existing cluster, config will copy from Primary to Secondary

                7. Run Cluster Wizard on Secondary. Join existing Cluster. Use the Primary's primary Heartbeat Zone IP address.

                 

                Done.

                 

                Now that i have my cluster re-created, and IPv6 enabled, the VPN to our remote location broke. Nothing has been modified with the VPN Definitions and it is still set to use v4, not v6. I'm assuming that enabling IPv6 somehow broke the connection. The remote firewall doesnt have v6 enabled.

                 

                Can anyone shed some light on how to go about re-enabling the VPN connection between the two firewalls?

                 

                Thanks

                • 5. Re: Passive Firewall No Longer Connects in Admin Console
                  jschweitzer

                  I was able to fix our VPN connection last week. Turns out it was an oversight on my part when the cluster was recreated.

                   

                  When the cluster was re-created, the Primary and Clustered external IPs were reordered in the list. I learned that this list is hierarchical, so certain connections will grab the 1st IP address in the list. Well, that 1st IP was used for a website, not the VPN. I reordered the IP list, but that still didnt quite fix the VPN.

                   

                  Next, I went into the VPN properties and manually specified the external IP address that the VPN should use instead of the default "localhost."

                   

                  So that fixed it. Case closed.