How to configure cluster between locally managed SMB appliances
On SMB appliances the cluster can be configured only on High Availability mode which means that only one gateway is active and when there is a failover, the standby member becomes active.
- Both appliances must have the same hardware and firmware version.
- Both appliances must have different names.
- The secondary appliance must be empty from any configuration, The only configuration that should be is on the HW level (if LAN interface configured on the Active, then the same Port should be Configured in the Standby)
- Connect a sync cable between the appliances on the sync port [Default: LAN2 port].
- There is a need to connect both of the appliance's LANs [for example LAN1 from each appliance] to a same switch (to have the same Network Segment).
- Reinitialize the internal VPN certificate on each appliance in order to obtain external IP address for the CRL Distribution [e.g; http://10.10.10.1:18264/...].
- Bridge/switch configurations are currently not supported in cluster configuration. If any exists, there is a need to delete them before start configuring the cluster (in the WebUI -> Device -> Local Network), as showed in the image below:
On Primary member
1. Start the wizard on the primary member by entering the WebUI, Device -> High Availability and click "Configure Cluster".
2. Choose the Configure as primary member option:
3. Enter password for initial the cluster.
4. In the next window configure the network settings according to the below image;
- Cluster IP address [VIP] .
- Primary IP address [LAN1 address of the primary appliance] .
- Secondary IP address [LAN1 address of the secondary appliance] .
5. For each Port/Network in the cluster, repeat step 4.
6. Once complete, Click on "Finish".
On Secondary member
1. Start the wizard on the secondary member by entering the WebUI, Device -> High Availability and click "Configure Cluster".
2. Choose the 'Configure as secondary member' option:
3. Enter the same password for initial the cluster.
4. Click on "Establish Trust":
5. Click on "Finish". The confirmation notification will appear by letting you know that this appliance will be the 'secondary' cluster member. Click Yes.
- The secondary member will appeared with only one button in the panel Device as showed below:
- The primary member will be appeared as showed below:
- To verify that the cluster configuration has been successfully established, run the below commands from SSH [Expert mode] as described below:
cphaprob l list
- You can also click on 'view diagnostics':
- Note: to make the best use of the CLUSTER, it is recommended to configure the Internet connection according to the below configuration [if there are three Internet lines]:
- To check the failover, click on 'Force member down' on the primary member and the secondary member [which was on 'Standby' mode] should become the 'Active' appliance:
Note: the Internet connections [Static IP] should be configured on each Internet interface [WAN/DMZ] and another Static IP for the VIP.
Run the following commands from expert mode:
- fw debug sfwd on TDERROR_ALL_ALL=5 - [on both members] it's critical to run that command at the same time.
- Then create a rule, or re-establish trust, or run fw sic_test -p 10.231.149.2 from the primary member.
- fw debug sfwd off TDERROR_ALL_ALL=5 [on both members to turn it off].
- Then collect the debugs from; $FWDIR/log/sfwd.elg from both members.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.