Configuring Multiple ProxySG appliances in a failover group ensures that your users can always reach the Internet, while maintaining your security policies. When failover group membership changes don't work as expected, there are things you can look at to resolve the issue.
The most common issue in establishing a failover group is that the failover group configuration isn’t enabled. Verify that the failover groups you've created are enabled as follows:
1.In the ProxySG appliance management console, browse to the Configuration tab > Network > Advanced > Failover.
2.Click the failover group you've created and click Edit. The edit failover group dialog appears.
3.Examine the check box at the top of the dialog. If it's unchecked, check it and click OK, then Apply.
Compare all of the ProxySG appliances in the failover group and verify that your configuration matches appropriately. Issues arise most commonly when the following items on each member of the failover group are not set correctly:
All appliances must be on the same network (i.e. same subnet, same broadcast domain).
The Virtual IP (VIP) must be the same on all members of the failover group. This ensures that if the active appliance goes offline, the next available passive appliance becomes the authority for the shared VIP address
The multicast address must be the same on each appliance. This is how the appliances communicate active/passive state information with one another and is crucial to the
Only one appliance in the failover group should have the Master setting enabled. Keep the Relative Priority value at the default of 100.
The advertisement interval should be the same on each appliance to avoid delays in switching the master in the event of a failure.
When defining a Virtual IP address to use for your failover group, choose an IP that is not already assigned to a network adaptor, but is on the same subnet as the other appliance IP addresses.
The Shared Secret must be the same across all members of the failover group. If you suspect this to be the cause of the issue, define a new password and enter it on each appliance in the failover group, one after the other and apply the changes.
After validating your configuration, another cause for trouble may come from a device on your network that routes traffic from one appliance to the others. It's important to make sure that multicast traffic is permitted to travel between appliances. A simultaneous packet capture from all appliances in the failover group, taken with a capture filter of the multicast-address (e.g. “ip host 220.127.116.11” without the quotes) will report the multicast traffic from all appliances should see multicast packets being sent only by the active master appliance's source IP address. If two appliances are sending multicast packets at the same time, this indicates that the switch or router is not passing the multicast packets.
When testing failover, the next available passive appliance should miss 3 consecutive multicast packets from the active master appliances before it becomes authoritative for the shared VIP and starts to intercept and manage traffic.This means, with the default Advertisement Interval of 40 seconds, you need to wait for about 2 minutes before the next passive appliance will take over.
The following Knowledge Articles may help further.
Can a failover environment be setup using different ProxySG appliance models? Knowledge Article 000008311. When configuring a pair of ProxySGs in fail-over mode, what multicast IP address should be used? Knowledge Article 000015608. Proxy SG units are set up in failover group but the units are not seeing each other Multicast traffic. Knowledge Article 000013094.
Imported Document ID: 000010736
Subscribing will provide email updates when this Article is updated. Login is required.