Troubleshoot issues with failover on ProxySG
search cancel

Troubleshoot issues with failover on ProxySG

book

Article ID: 166205

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Configuring Multiple ProxySG appliances in a failover group ensures that your users can always reach the Internet, while maintaining your security policies. When failover group membership changes don't work as expected, there are things you can look at to resolve the issue.
 

The most common issue in establishing a failover group is that the failover group configuration isn’t enabled. Verify that the failover groups you've created are enabled as follows:

1.     In the ProxySG appliance management console, browse to the Configuration tab > Network > Advanced > Failover.

2.     Click the failover group you've created and click Edit. The edit failover group dialog appears.

3.     Examine the check box at the top of the dialog. If it's unchecked, check it and click OK, then Apply.

Resolution

Compare all of the ProxySG appliances in the failover group and verify that your configuration matches appropriately. Issues arise most commonly when the following items on each member of the failover group are not set correctly:  

  • All appliances must be on the same network (i.e. same subnet, same broadcast domain).
  • The Virtual IP (VIP) must be the same on all members of the failover group. This ensures that if the active appliance goes offline, the next available passive appliance becomes the authority for the shared VIP address
  • The multicast address must be the same on each appliance. This is how the appliances communicate active/passive state information with one another and is crucial for the failover to work.
  • Only one appliance in the failover group should have the Master setting enabled. Keep the Relative Priority value at the default of 100.
  • The advertisement interval should be the same on each appliance to avoid delays in switching the master in the event of a failure.
  • When defining a Virtual IP address to use for your failover group, choose an IP that is not already assigned to a network adaptor, but is on the same subnet as the other appliance IP addresses.
  • The Shared Secret must be the same across all members of the failover group. If you suspect this to be the cause of the issue, define a new password and enter it on each appliance in the failover group, one after the other and apply the changes.

Other considerations

  • After validating your configuration, another cause for trouble may come from a device on your network that routes traffic from one appliance to the others.  It's important to make sure that multicast traffic is permitted to travel between appliances. A simultaneous packet capture from all appliances in the failover group, taken with a capture filter of the multicast-address (e.g. “ip host 224.0.0.1” without the quotes) will report the multicast traffic from all appliances should see multicast packets being sent only by the active master appliance's source IP address.
  • If two appliances are sending multicast packets at the same time, this indicates that the switch or router is not passing the multicast packets.    
  • When testing failover, the next available passive appliance should miss 3 consecutive multicast packets from the active master appliances before it becomes authoritative for the shared VIP and starts to intercept and manage traffic. This means, with the default Advertisement Interval of 40 seconds, you need to wait for about 2 minutes  before the next passive appliance will take over.
  • Each ProxySG model has its own specifications for the number of clients it can handle, bandwidth, and so forth.  Because each model differs in their performance specifications, for optimal performance, Broadcom recommends and supports using the same ProxySG appliance models in a failover environment because when failover occurs, a lower specification ProxySG might not be able to handle the traffic

    The following Knowledge Articles may help further. 

When configuring a pair of ProxySGs in fail-over mode, what multicast IP address should be used?

Proxy SG units are set up in failover group but the units are not seeing each other Multicast traffic