Firecluster Config with VLAN
Hi,
I've been struggling the last few days with trying to setup a pair of T85s in an active/passive cluster.
I've setup several other Watchguards in a cluster config before, and it all went fairly smoothly. The only difference is, they were on a flat network, and I really don't have much experience with setting up VLANs.
The new site we acquired has 2 VLANs setup, one untagged for the corporate network, and one tagged for the guest network.
I am able to access the management interface on the primary FW, but I'm not able to access the interface on the secondary FW...I can't even ping it. I tried to do a fail-over, just to check, and it did grab the external IP and the gateway IP, but no one was able to access the Internet.
I have the ports on the switches for both the primary and secondary FW adapters linked to both the untagged VLAN and the tagged public VLAN.
Comments
What did you see in Traffic Monitor after the failover was tried?
Didn't check the traffic monitor, but looking back at the logs, it's as though that IP address isn't even on the network.
Hi @BryceGiroux
In order for the cluster to form and be able to talk to the other member, traffic must be able to flow on the management interface between the two devices. If that's not happening via your switches, I'd suggest checking to see if the switch is passing traffic between the two firewalls.
-James Carson
WatchGuard Customer Support
Found the issue. Turns out that the switch's STP was blocking the port for the secondary firewall, likely because it was having issues with the virtual MAC address the Watchguard was using for the cluster.