Support Center > Search Results > SecureKnowledge Details
How to configure a cluster between locally managed SMB appliances Technical Level
Solution

On SMB appliances, the cluster can be configured only in High Availability mode. This means that only one Gateway is active and that when there is a failover, the standby member becomes active.

  • Both appliances must have the same hardware and firmware version.
  • Both appliances must have different names.
  • The secondary appliance must not have any configuration. The only configuration should be on the hardware level (if a LAN interface is configured on the Active member, then the same Port should be configured on the Standby member).
  • Connect a sync cable between the appliances on the sync port (Default: LAN2 port).
  • Connect both of the appliances' LANs (for example LAN1 from each appliance) to the same switch (to have the same Network Segment).
  • Reinitialize the internal VPN certificate on each appliance to obtain the external IP address for the CRL Distribution, e.g., http://10.10.10.1:18264/...
  • Bridge/switch configurations are currently not supported in a cluster configuration. If any such configuration exists, delete it before you start configuring the cluster in WebUI -> Device -> Local Network:

On the Primary Member

1. Start the wizard on the primary member: Enter WebUI, Device -> High Availability and click on Configure Cluster.

2. Choose the Configure as primary member option:

3. Enter the password for initializing the cluster.

4. In the next window, configure the network settings according to the image below: 

    • Cluster IP address (VIP) 
    • Primary IP address (LAN1 address of the primary appliance) 
    • Secondary IP address (LAN1 address of the secondary appliance) 

    5. For each Port/Network in the cluster, repeat step 4.

    6. Once complete, click on Finish.

    On the Secondary Member

    1. Start the wizard on the secondary member: Enter WebUI, Device -> High Availability and click on Configure Cluster.

    2. Choose the Configure as secondary member option:

    3. Enter the same password for initializing the cluster.

    4. Click on Establish Trust:

    5. Click on Finish. The confirmation notification will appear, letting you know that this appliance will be the secondary cluster member. Click on Yes.

    • The secondary member will appear with only one button in the panel: Device

    • The primary member will appear as below:

    • To verify that the cluster configuration has been successfully established, run the below commands from SSH (Expert mode): 'cphaprob state' and 'cphaprob –l list'    

    • You can also click on view diagnostics:

    • Note: To make the best use of the cluster, it is recommended to configure the Internet connection according to the below configuration (if there are three Internet lines):

    • To check the failover, click on Force Member Down on the primary member. The secondary member (which was on 'Standby' mode) should become the 'Active' appliance:

      Note: The Internet connections (Static IP] should be configured on each Internet interface [WAN/DMZ], and another Static IP for the VIP.

      Troubleshooting:

      Run the following commands from expert mode:

      1. 'fw debug sfwd on TDERROR_ALL_ALL=5' on both members. It is critical that you run this command at the same time.
      2. Create a rule, or re-establish trust, or run 'fw sic_test -p 10.231.149.2' from the primary member.
      3. 'fw debug sfwd off TDERROR_ALL_ALL=5' on both members to turn it off.
      4. Collect the debugs from $FWDIR/log/sfwd.elg from both members.

       

      This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

      Give us Feedback
      Please rate this document
      [1=Worst,5=Best]
      Comment