Pacemaker Cluster Issue - Backup Firewall does not take over in case network cable unplugged from Primary Firewall

Question

I have an issue with pacemaker cluster.

I have two firewalls that I am using in Active/ Backup HA. The heartbeat IPs are 10.0.0.1 (FW 1) & 10.0.0.2 (FW 2) on a dedicated network. Traffic IPs on LAN network are 131.107.2.2 (FW 1), 131.107.2.3 (FW 2) and virtual IP is 131.107.2.101. Traffic IPs on WAN network are 192.168.100.98 (FW 1), 192.168.100.99 (FW 2) and virtual IP is 192.168.100.101.

If FW 1 is powered off, FW 2 takes over as intended but if the network cable is removed on LAN network, the switching does not happen. Following components are being used in the cluster:

pacemaker
corosync
drbd
contrackd

Any help is greatly appreciated.

Do you mean the direct connection between the two firewalls? Or the LAN connection to your internal network? — Lenniey, Jul 04 '17 at 12:49

score 0 · Answer 1 · answered Jul 05 '17 at 14:30

You need to tell Pacemaker you care about interfaces failing. Look at the ocf:pacemaker:ping resource. You can use that resource-agent to ping other host (defined with host_list param) on the different networks, and Pacemaker will react if those pings fail.

If you group the ocf:pacemaker:ping resources, or use constraints to relate them with whatever else you're managing in Pacemaker, they'll all move together.

Pacemaker Cluster Issue - Backup Firewall does not take over in case network cable unplugged from Primary Firewall

1 Answers1