To test this feature, visit your live site.

HA path-monitoring - use same IP's?

Hi,

I have an active/passive pair with path-monitoring. The primary is monitoring 4.2.2.1 for ISP1 and 4.2.2.2 fo ISP2, so if either IP is not reachable, failover will occur.

My question is, should the passive fw monitor the same IP addresses, or different ones such as 8.8.8.8 and 8.8.4.4?

Thoughts welcome.

7 comments

Comments (7)

Reaper

Apr 10, 2023

Well it depends right. What caused the path monitor in the primary to fail. If the same condition applies to the secondary (same ISP router for example), it will also fail over (flap).

CyberforceZero

Apr 10, 2023

Replying to

Path monitoring failed with the current configuration already, but didnt' flap. One ISP was out, and the firewall setup failed over to the secondary. The setup never flapped back to the primary, it stayed on the secondary until we manually failed back.

Reaper

Apr 10, 2023

If you monitor exactly the same ips and those ips are unreachable due to an upstream issue, your cluster will "flap" until the max flap count is reached at which time one member will end up in forced suspend. I usually study the physical connections/locations/paths to determine if the same ips make sense. Sometimes they do (cause fw2 is connected to different is routers) sometimes they don't (same path so same potential of failure) at which time I simply disable path monitor on the secondary, or use different ips to monitor when applicable

Reaper

Apr 10, 2023

Replying to

The flapping in this example would be triggered due to the same path monitoring failing

CyberforceZero

Apr 10, 2023

Replying to

Right, but it won't flap if I'm not using preemption. So in that case is it ok to use the same monitoring IP addresses on the secondary, or should I just turn off monitoring on the secondary since there's no need to have it?

CyberforceZero

Apr 10, 2023

Replying to

I like the idea of checking the locations/paths, thanks.

Forum: Forum