Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Getting Started

Reply

HA opinion

[ Edited ]
New Member
Posts: 3
7996     0

Hi guys,

anyone has never tested the VM pair HA beahviour? 

 

I implemented a lab with a pair of 8.1.1 and a pair with 7.3.x NIOS (TE-V1410).

Since I read on Admin Guide that if the passive Node not receive at least 3 vrrp advertsiments, it will take the ownership of VIP...

So, I tried to disable the HA interface (both disabling the interface from VM's settings, and blocking the vSwitch's port) and the result was not in line with my expectations...

RESULT: The Active node remains Active and Passive remains Passive. Obliuvsly the service is interrupted because the VIP is not more published... 

 

I'm sure that SpanningTree, Portchannel etc... are disabled. My vSwitch is isolated and without any peculiar configurations... 

 

The HA works properly only if I disable the HA and LAN1 of the Active node.

 

Any clarifications are welcome...

Thank you Smiley Happy

L.

 

P.S.

Forged Transmit and MAC Address change are set in Accept.

Re: HA opinion

Authority
Posts: 6
7996     0

Thank you for the detailed description of your issue. Just need to clarify one of your statement.

 

You mentioned that you disabled the HA interface from the vSwitch Port and the VM Settings. Could you confirm if this was done on the Passive Node's VM settings or the Active Node's? If it is the Passive node's setting that this is working as per design. Because passive node will tray to failover only if it doesn't recieves any vrrp packet from the Active. I believe Passive would be listening on both the HA and LAN interface and hence the failove didn't happen.

 

If it's the other way around (Disabled port on Active node), then I would suggest opening a Support Ticket because this may require additional troubleshooting.

 

 

Regards,

Anil

 

 

Re: HA opinion

New Member
Posts: 3
7996     0

Hi Anil,

thank you for your contribute.

I disabled the HA port of the Active node... 

 

However, in my opinion shouldn't be difference where I disable HA interface (obliuvsly I mean in a lab/test environment)... In both cases the Passive node should no longer receive vrrp advertsiments , it follows that the Passive node should try to take the ownership of VIP. 

 

Since the vrrp adv are sent in multicast from Active's HA Interface, they will be received on each interfaces of the Passive node (and on Active's node LAN1 too). From adming guide and KB #87 I understand that the Passive node listen for vrrp adv only from its HA interface and after three missed consecutive advs it take the VIP. 

 

Thanks

kindest regards,

Lorenzo

 

 

Re: HA opinion

Authority
Posts: 6
7996     0

Hi Lorenzo,

 

I had done the below test long back and followng were my findings:

 

 

Scenario #1

 

All interfaces are up except:

 

Active Node:

 

Only LAN1 interface Down --> No HA Failover will occur. Active node will appear offline in the Grid. VIP is still alive since it is held by Active node's HA interface.

 

Note: VRRP sent by HA interface of Active node as multicast

 

 

 

Scenario #2

 

All interfaces are up except:

 

Active Node: 

Only HA interface Down --> Failover will occur. VIP won't be accessible and the VRRP won't be sent to the Passive node.

 

Scenario #3

 

Both HA and LAN1 interfaces down --> Failover will occur.

 

Scenario #4

 

All interfaces are up except:

 

Passive Node:

 

Only LAN1 interface Down --> No HA failover will occur. Passive node will appear offline in the Grid.

 

Note: Passive node listens for VRRP on the HA port too. Confirmed by testing on lab appliance.

 

 

Scenario #5

 

All interfaces are up except:

 

Only HA interface Down --> No HA failover will occur. LAN1 is still getting the VRRP packets from the Active node's HA interface.

 

 

So the only scenario where the HA failover occurs will be when the HA interface of the Active node is down.

 

 

 

Re: HA opinion

New Member
Posts: 3
7996     0

Hi,

I opened a case with Support.

They said me that this behaviuor is expected in VM environment. The heartbeats are sent from HA in multicast and from LAN1 in Unicast. They will update the Administrator Guide for better explain this behaviour.

Thanks again

Lorenzo

Showing results for 
Search instead for 
Did you mean: 

Recommended for You