Xem mẫu

High Availability and Clustering · Chapter 6 225 Figure 6.39, we can see that member fw2 is active. If we right-click fw2 and select Stop Member, we will force fw1 to switch to active.This assumes that fw1—or another cluster member—is available. Be sure to check this status before stopping the current active member! Figure 6.39 SmartView Status GUI Showing ClusterXL HA New Mode with Member fw2 Active Take note of the Running Mode field, which states whether the member is active or not. NOTE Note that if a member has been disabled using “Stop member,” the ClusterXL Details pane might still show the member as active. This is because we have lost contact with the ClusterXL module on that member, and the GUI is still displaying the last known status. It is worth checking the last updated time for the ClusterXL status and forcing an update (right-click ClusterXL and select Update). A stopped member can be revived by right-clicking the member name and selecting Start Member. Note that it will stay in Standby mode irrespective of its pri-ority if Maintain Current Active gateway is set in the cluster object. Test 3: FTP Session Through the Cluster When an Interface Fails As with all cluster solutions, the best tests are those simulating real-world failure. Physically damaging cluster members is probably the most challenging test but probably not a popular option, either.A more acceptable test is disconnecting a network cable from the current master member during a file download through the cluster. www.syngress.com 226 Chapter 6 · High Availability and Clustering In our example, we initiate a command-line FTP session from the internal host on 192.l68.1.200 to 192.168.12.133 (refer to Figure 6.12).The default gateway of host 192.168.1.200 will be the cluster VIP address for that subnet (192.168.1.130).The default gateway for 192.168.12.133 will be VIP 192.168.12.130. We will use the ftp hash command in order to display the blocks downloaded so we can see the download’s progress.A large file should be chosen that will take at least a minute to download; that gives us time to test failover. If you pull out the external interface of the active member (for example, if member fw1 were active, removing the Ethernet cable from qfe0 would cause a fail condition), you should see member fw2 become active and the FTP session should continue, prob-ably after a pause of a few seconds.This particular test is useful because it tests the fol-lowing things: The hosts communicating have the correct default gateway. The hubs and switches are working correctly in an HA environment. The firewall members are failing over correctly. The hosts on the local subnet respond to the failover gratuitous arp. The firewall members’ state tables are fully synchronized. Command-Line Diagnostics on ClusterXL Let’s take a look at some useful command-line tools that can be used to monitor ClusterXL. fw hastat The fw hastat command can be used to check the basic status of each cluster member locally or remotely.The fw hastat command has the following syntax: fw hastat A typical response if this command is run on a local firewall cluster member module is: HOST NUMBER localhost1 1 HIGH AVAILABILITY STATE active MACHINE STATUS OK cphaprob The cphaprob command is probably the most versatile command that can be used to monitor and manipulate ClusterXL. Here we cover just a few of the common syntaxes of this command, but it can do a lot more than merely show information about the www.syngress.com High Availability and Clustering · Chapter 6 227 cluster.This command can be used in order to integrated tailored status checking— maybe checking hardware health of a member. The command can be used on either of the cluster members (not on the firewall management module). Running cphaprob stat on either of the firewall cluster members should tell you the status of each of the cluster members from the point of view of the cluster member you are running the command on. Here is an example output: Working mode: Active up (unique IPs) Number 1 2 (local) Unique Address 192.168.11.132 none* State active standby NOTE If you see none in the unique address for one of the cluster members, you need to reboot the module, then run the cphaprob state command again. It can also mean that the member is not correctly configured in the SmartDashboard GUI and that no secured interface exists on the member. You can also use this command with different arguments to provide details of inter-faces.The syntax for examining the interfaces on the local member is cphaprob -a if.The command will tell you the status of each interface and the virtual cluster IP addresses. In this example, the local cluster member is in Standby mode: Required interfaces: 3 Required secured interfaces: 1 hme0 UP qfe0 DOWN (2505.8 secs) qfe2 UP qfe3 UP (secured, unique) (non secured, unique) (non secured, unique) (non secured, unique) Virtual cluster interfaces: 3 qfe0 195.166.16.130 qfe2 192.168.12.130 qfe3 192.168.1.130 www.syngress.com 228 Chapter 6 · High Availability and Clustering In this example, we can see that the interface qfe0 is down—probably a cable or interface problem. Looking at the information further down, we see that qfe0 is associ-ated with the VIP address of 195.166.16.130, the external interface, so that is where we should start looking for network problems. Until this problem is resolved, we expect this member to stay in Standby mode; hopefully another member in the cluster will be active. cpstat ha The cpstat ha command gives detailed status details from the local member—similar information to that displayed by the SmartView Status GUI. Run without arguments, the output to this command is something like: Product name: High Availability Version: Status: NG Feature Pack 3 OK HA installed: 1 Working mode: High availability HA started: yes More usefully, you can use the syntax cpstat –f all ha to get this: Product name: Major version: Minor version: Service pack: Version string: Status code: Status short: Status long: HA installed: Working mode: High Availability 5 0 3 NG Feature Pack 3 0 OK OK 1 High availability HA protocol version: 2 HA started: yes HA state: active HA identifier: 1 Interface table www.syngress.com High Availability and Clustering · Chapter 6 229 ---------------------------------------------------- |Name|IP |Status|Verified|Trusted|Shared| ---------------------------------------------------- |hme0|192.168.11.131|Up | 0| 1| 0| |qfe0|195.166.16.131|Up | 500| 0| 0| |qfe2|192.168.12.131|Up | 0| 0| 0| |qfe3| 192.168.1.131|Up | 0| 0| 0| ---------------------------------------------------- Problem Notification table ------------------------------------------------ |Name |Status|Priority|Verified|Descr| ------------------------------------------------ |Synchronization|OK | 0| 198| | |Filter |cphad |fwd |OK | 0| 188| | |OK | 0| 0| | |OK | 0| 0| | How Does ClusterXL HA New Mode Work? In HA New mode, on each member of the cluster, each interface that will share a VIP address will keep its existing MAC address. No additional shared MAC addresses are used.When a client that is on the nonsecured network ARPs for the virtual IP (which will be the client’s default gateway IP address), the cluster member that is active will reply with its MAC address and so will receive the through routed traffic. Note that a client should still be able to connect to any of the valid IP addresses of the cluster on the same local subnet, regardless of which member is active (assuming that the interface is not down, the OS hasn’t crashed, or the local firewall policy does not prevent it). Because all members are “live”but only one handles traffic,HA New mode could be seen as load sharing but with 100 percent of the traffic going through one member only and all other members on standby having 0 percent of the traffic.This is opposed to tradi-tional HA solutions in which the standby members are “offline”and unreachable. If we consider the diagram in Figure 6.40, we can see that member fw1 is active and fw2 is in Standby mode. www.syngress.com ... - tailieumienphi.vn
nguon tai.lieu . vn