Options

My most recent support case

KamikazeKamikaze
in Firebox - Product Enhancements

@James_Carson

I recently opened a case with an active/active cluster setup. I chose this configuration because i wanted to take advantage of the load balancing and higher level of availability. The watchguard kit is part of a greenfield deployment and is connecting to new internet circuits. After i set up the cluster i connected them to a pair of redundant switches that are on the trusted side of the cluster.

I ran into an issue where I couldn't get internet access, i called the isp request that they investigate what's going on with the internet circuit. I noticed that when i configured a laptop with the public ip then plugged it in to the isp equipment, i could ping and access the internet. Another thing i noticed is that i couldn't ping any of the default gateways on the vlans. The isp ran several packet captures to show the difference between when the laptop was connected and the watchguards were connected. The results showed that for some reason the watchguards sending invalid ARP request and the Sender MAC was a multicast MAC and didn't match the Source MAC which prevented the connection from being established.

I was told by multiple times by support techs as this case was escalated that the active/active cluster setup rare and they didn't seem to be well versed in this setup. At no point could any of them answer the question as to why the watchguards were sending invalid ARP request and the Sender MAC was a multicast MAC and didn't match the Source MAC. As a result of this, i lost 2 days that were supposed to be dedicated to turn up of new server and storage infrastructure, i now have wait until next month because of vendor engineering availability.

The only way i could think to get things up and running was to reset both firewalls then start over with the configuration this time in active/passive cluster. None of the techs really could come up with anything helpful, they insisted that we do a screen sharing session but i was unable to do that because of the issues with the cluster. I've been a watchguard customer for years and have thrown out sonicwalls, cisco and etc to replace them with watchguards. The support and the product has been great but this experience makes wish that i had just reset the firewalls sooner. I feel like support let me down and the active/active setup isn't tested much nor does anyone know much about it. In my mind knew it had to be an isp issue and it was no way the firewalls causing this issue but i was wrong.

I just wanted to throw this out so i can clear my head.

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Maverick
    A/A clusters are pretty rare (I'd throw a number out there like they're probably less than 1% of cluster installs.)

    The firewalls themselves do require static ARP entries on the switches, and if this is not in place, it can cause issues.

    If you can let me know what the case number is, I'd be happy to let one of the team leads review the case and see if there is anything else they can do to help.

    Thank you,

    -James Carson
    WatchGuard Customer Support

Sign In to comment.