Active/Active M470 setup

I have set up an Active/Active cluster using 2 M470 running the latest OS that are connected to aruba 3810 switches. I have tested the fail over from the system manager between the master and backup master and that is working. The hp 3810 switches are not setup for layer 3 so all routing will take place on the M470 fire-cluster.

Is it normal to not be able to ping the management ip or pull up the web page for the backup master?

Comments

  • Yes. The backup/passive member has no active routing table, so you will only see replies if connected to the cluster mgt subnet.

  • Okay that’s good to know but both firewalls are actively routing and handling traffic if they are in a round robin right?
  • Opps, sorry.
    My answer if the an A/P cluster, not a A/A cluster. My bad.

    For an A/A, I would expect replies - but I don't have an A/A cluster, so I may be wrong here.

  • It seems like the A/A setup is rare for some reason and more people go with the A/P cluster setup.

  • edited September 2020

    Hello NetworkWise,
    I've quite confused with the way of WG HA A/A operation. Have you successfully configured yet?
    I've successfully configured with the A/A mode but it does not run well. This is my issue: " The internal PCs get Ping packet loss when multiple PCs send ping through the firebox. When only one internal PC sends ping through the Firebox, we saw nearly zero packets lost ". I also opened a ticket to WatchGuard Technical Support but my issue has not been solved so far. So, I used A/P mode instead of A/A mode :(:(
    Please let me know if you have successfully configured them and without issues.
    Thanks,

    NOTED :
    I am using the Cisco device for this diagram.
    1. Cisco Router 1941 (configure ARP & multicast Address of WG HA)
    2. Cisco Switch 2950 (Layer2)
    3. WG HA A/A (configure ARP of Router 1941)
    4. Cisco Switch 4948 (Layer2 with trunking interface)

  • I was able to get my A/A setup working. In my case i needed to stack the switches which basically turn them into a cluster just like the firewalls. I plugged into a interface on one of the switches and started a continuous ping from my laptop, then i unplugged the connection from the firewall to simulate a failure. The network dropped 2 ping then the other firewall picks up, i did this sort of test a few different ways but the network always dropped 2 pings then continues which is great! It's so short that any of the users shouldn't notice.

  • @Nguyen_Dung Have you seen these articles?

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_add_arp_entry_wsm.html

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/ha/cluster_example_cisco_wsm.html

    In my case all i needed to do was to stack my switches, my switches are not doing any routing so any traffic that needs to be routed will be sent up to the firewalls.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    You should be able to get to either member provided you're running a modern firmware (12.x or better.) If you're not able to do this, I'd consider that a problem.

    A/A clusters require adding of multicast MAC addresses to your switches -- if you haven't done this, it may be part of the issue.

    Having an A/A cluster won't make traffic go faster than the firewall is capable of -- so is generally only useful if you're handling -a lot- of traffic. A/A also requires that you have security subscription licensing for both firewalls if you wish to use that, whereas Active/Backup only requires it to be on one.

    If you're experimenting with clusters, we generally recommend that you get a Active/Backup cluster going, and once you have any issues worked out with that, then move to A/A.

    -James Carson
    WatchGuard Customer Support

  • @NetworkWise, Thank you for your reply.

    Of course, I already have researched all of the WG HA A/A documents included your link.
    Are you only using a Laptop to send ping through the Firebox? If true, this issue will not occur.
    The issue only occurs when you use multiple PCs to send a ping to the same destination through the Firebox.

  • edited September 2020

    @James_Carson

    A/A clusters require adding of multicast MAC addresses to your switches -- if you haven't done this, it may be part of the issue.

    I didn't have to add any multi-cast to my switches to get this work.

    Having an A/A cluster won't make traffic go faster than the firewall is capable of -- so is generally only useful if you're handling -a lot- of traffic. A/A also requires that you have security subscription licensing for both firewalls if you wish to use that, whereas Active/Backup only requires it to be on one.

    I've read all of the documentation and my m470's met the requirements. My reasoning for setting up the A/A cluster was because of the volume of traffic and the important of it all.

    At the end of the day, it's all working as it should.

Sign In to comment.