Thanks for the info.
I'm not sure what I said to indicate an immediate split brain situation,
because it never happened immediately. The problem was more along the
lines that the failover wouldn't work properly whenever it had to do so.
The first firewall would stop but the second never started properly. At
that time, we had no firewall. There was a script written by the guy
that installed this that was supposed to move the outside IP/MAC along
with starting the firewall. That script seemed to have failed. So in all
of this, it appears heartbeat was failing in some way.
After further reading, though, and pouring through many posted examples
of simple HA IP control, I've found that I can use the fence_ipmilan
fence agent to perhaps simplify a lot of the issues I've been struggling
with for a two node HA firewall. It's no guarantee that it will work,
but at least I can try it.
Bonded interfaces and dual switches seem to be a great idea as well.
I still haven't determined what thows the gratuitous arp signal yet for
the outside interface, but we're going to get new routers and hopefully,
this will provide some relief for the old problem I have seen with all
of the HA we've ever tried to use here (including a very early release
of UltraMonkey, a very early attempt at HA packaging. It worked fine,
but the ARP problem caused us to throw that out).
On 6/29/2012 5:06 AM, Alexander Runge wrote:
> Hi Steve,
> I don't understand why your setup immediately runs
> into a split brain situation. This would indicate that your
> heartbeat communication isn't working at all.
> However, in order to stop immediate fencing you may try this:
> crm configure property no-quorum-policy=ingnore
> crm configure property stonith-enabled=false
> On 06/20/2012 01:57 PM, Steve Campbell wrote:
>> I'm starting the process all over again of considering clustered
>> firewalls. I've two new servers to work with, and I'm going to use
>> Centos 6.2 on these boxes.
>> Each time I begin this consideration, I run into a brick wall due to the
>> Centos High Availability packages' insistence on using power fencing.
>> All I really want to do is test the theory of clustered firewalls, but
>> that fencing problem is a show-stopper.
>> The cookbook explains how it should be done with heartbeat and two
>> servers, but the new Centos documentation on HA doesn't help much in the
>> way of duplicating this setup, and the heartbeat web site now suggests
>> that changes have been made to the way things should be done, things
>> like using Pacemaker, and the like.
>> Maybe I'm confusing things, and don't understand the functions provided
>> by RedHat/Centos and their group packages. I realize that split-brain is
>> the reason for all this fencing goo, but I just want to mimic what
>> appears to be a simple heartbeat from the cookbook where I have two
>> firewalls and a third server to provide odd-numbered quorum (or maybe
>> just the two firewalls without the quorum). In my mind, I shouldn't need
>> the third server, since the alternative to HA would just be two servers
>> for firewalls, one being primary, and the second sitting there in
>> waiting for some catastrophe to happen to the primary. I'd then do a
>> manual startup of the firewall on the secondary.
>> HA would be nice since our computer operations staff is not here around
>> the clock any more to do the manual startup. Can anyone provide a clear
>> explanation of how the two-server/HA solution might be accomplished
>> using a Centos 6.2 OS and what packages/groups of packages they would use?
>> An explanation of how this would work from the standpoint of failover
>> would be nice. Again, I might be misunderstanding how all this SHOULD
>> work, so if you see flaws in my conception, please point that out as well.
>> Our current setup is supposed to do the trick, but the failover has
>> never worked. It uses the third server setup along with heartbeat and
>> I'm guessing it was a square hole/round peg installation.
>> Thanks in advance.
>> steve campbell
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> Fwbuilder-discussion mailing list
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Fwbuilder-discussion mailing list