|
|
|
|||
|
|
||||
Full Cluster Support Tips
Most Recent Version: 2.0 (as of: 5/8/2000)
Stonebeat Support
Regular Stonebeat
Questions:
1) I can't find anything to help in this
FAQ.
2) How do I install Fullcluster?
3) I installed SB and I can't talk to HSRP routers.
4) I am using unicast MAC addresses and get intermittent
failures/slow connections.
Answers:
1) I can't find anything to help in
this FAQ.
Try the regular stonebeat FAQ
2) How do I install Fullcluster?
Consider the following network:
INSTALLATION:
2) Load OS
3) Configure OS
a) harden (optional)
b) edit the /etc/hostname.<if> files.
Example, if we have interfaces le0, le1, le2 on host sb2, then
hostname.le0
should say: sb2
(CNIC, this must be the hostname of the box)
hostname.le1
fwext
(ONIC)
hostname.le1:1
fwextcluster
(alias for external ONIC)
hostname.le2
fwint
(ONIC)
hostname.le2:1
fwintcluster
(alias for internal ONIC)
c) edit the /etc/hosts file:
10.4.9.2
sb2
#stonebeat module 2
10.4.9.1
sb1
#stonebeat module 1
10.4.1.105
grappa
#control station
192.168.1.102
fwint
#dedicated IP (internal)
192.168.1.103
fwintcluster
#cluster IP (internal)
204.32.38.102
fwext
#dedicated IP (external)
204.32.38.103
fwextcluster
#cluster IP (external)
d) add a file called /etc/rc3.d/S99staticroutes, and in it, delete the
routes to the directly connected network via the cluster IP addresses:
route delete net 192.168.1.0 192.168.1.103
route delete net 204.32.38.0 204.32.38.103 -netmask 255.255.255.0
e) edit your profile (.profile, .cshrc, /etc/profile, etc depending on
your shell...), and add:
FWDIR=/etc/fw
SBFCHOME=/opt/fullcluster
#note: may be different depending on where you install stonebeat
PATH=$PATH:/usr/local/bin:$FWDIR/bin:$SBFCHOME/bin
export PATH FWDIR SBFCHOME
#note: this is syntax for /bin/sh & related shells; C-shells will be
different, also, I like to add /usr/local/bin for gzip, tcsh
f) load gzip and tcsh packages (pkgadd -d ..., optional)
a) Install FW-1 firewall modules on sb1, sb2.
Load the management station on grappa.
b) Create network objects for sb1 & sb2.
They should be defined in terms of their CNIC interfaces.
Get interfaces. Build a policy and install.
c) edit the /etc/fw.boot/ifdev file, add: (IMPORTANT: will hang system if
you don't do this)
sbif deny #PS: may want to do "sbif
allow" in some odd failover NAT situations
d) Optional: do state sync ($FWDIR/conf/sync.conf, do putkeys, sync
clocks, restart fw)
e) you may get async routing. If
you are doing NAT, may have a problem. Can
fix with stonebeat's filter.conf file, but pings tend to be a problem in Hide
xlation. Enable stateful ICMP ($FWDIR/lib/fwui_head.def,
uncomment the line that says "#define STATEFUL_ICMP_LOG")
5) Install Stonebeat modules on sb1, sb2
Load all the packages:
SBFCbase
SBFCdrv
SBFCmod
SBFCsnmp
6) Install stonebeat GUI on grappa
CONFIGURATION:
1) After reboot, run "sbfcconfig" (should be
in path, $SBFCHOME/bin)
a) Pick a CA. Can be any of
the stonebeat modules (sb1, sb2), although for this exercise, choose sb2
b) on the CA, run "sbfcconfig", and pick "Generate Keys
& Certs"
i) Create a CA key & cert, give the info they request.
For CN (common name) probably best to define machine, eg, "CA".
You will need a PEM passphrase to protect the private key.
Remember THIS!!!
ii) Create a module key and cert. Sign
it with the CA key. Use CN of
"modsb2" for example. Certs
CANNOT be identical, you will get an error.
iii) Create a client key & cert as above.
Use CN of "GUI" for example.
iv) This creates a bunch of files on the $SBFCHOME/etc/cert directory.
Copy them all to $SBFCHOME/etc (except cacert.key, you prob don't want to
distribute the CA's private key), and to the similar directory on the GUI
machine (grappa). This is required
for SSL control communication.
v) Now, recreate a new module key & cert.
The first time was for the module we are currently running the CA on (in
this case, sb2). We need a separate
key & cert for sb1. For CN use
"modsb1". Copy everything
in the "cert" directory to $SBFCHOME/etc on sb1.
2) OK, now, run "sbfcconfig" on both sb1
& sb2
a) Set a passphrase. This
will be the PEM passphrase to unlock the module private key.
b) Install a license. You
can license at mybeat.stonebeat.com if you have a partner login. You should use a license with the CNIC IP address.
You need one license per stonebeat module, but not for the GUI.
License fullcluster, not regular stonebeat.
c) Configure this node (host)
i) Node ID: unique integer (1-16) within the cluster (different for sb1,
sb2)
ii) Cluster ID: unique integer (1-65535) for the cluster (the same for
sb1, sb2)
iii) Capacity: run the autoconfig
iv) Set load interval (15-150 seconds) how often the cluster nodes
redistribute load
v) Interfaces
1) Heartbeat Protocol If: heartbeat link.
This can be the same as the control interface. If it is, DON'T edit the control IF, you do it here.
Use the default MAC and IP addresses of the box.
Enter a multicast MAC for heartbeat traffic (eg, low order bit of high
order byte is on, 1:1:1:1:1:1). Assign
the control IP and port IF THIS WILL ALSO BE the control interface (this is the
CNIC address of the box you are on, and use port 3002).
2) Operational If: Again,
leave the IP and MAC as the default, and enable multicast.
Give the cluster multicast MAC (eg, 1:1:1:1:1:1).
do this for both le1 and le2.
3) Go back and exit out of sbfcconfig.
When you exit, your changes will be written to disk (node.conf).
Pay attention to any errors you might get at this point.
SB will tell you if you haven't configured something you should.
a) Change the password to the PEM phrase protecting the GUI key
b) Create a new Fullcluster site
c) add two members to the site (sb1 & sb2), give their Node ID, name,
IP and connect
ports (3002).
d) right-click on the cluster and "connect"
e) the 2 stonebeat modules should go from gray (disconnected) to blue
(offline)
f) right-click on the blue modules and say "go online".
They will turn green and maroon.
g) if you make changes to the modules (say, with sbfcconfig, or add
tests), reconfigure by right-clicking on the online modules, and
"reconfigure". Once a
module is reconfigured, right click and "restart", right click and
"go online". (yes, you have to do three things)
a) edit the $SBFCHOME/etc/checklist file.
b) add an entry of the syntax:
name interval action retry timeout test-name params,
where:
name:
just a string
interval:
how often test is run in seconds
action:
one of: alert, offline, disabled
retry:
how many times to try before giving up
timeout:
when to finally give up (in milliseconds, up to 30000, or 3 secs)
test-name: an
internal SB test or the full path to an external test
params:
optional parameters of test-name
c) example:
pingout 20 offline 3 3000 /usr/sbin/ping -n 204.32.38.250
d) reconfigure through the GUI.
5) filter.conf (see docs).
This file allows you to force certain networks to always use sb1 or sb2
(or sb3, etc...). Must be edited by
hand, and a failure in a key box may not flop over to another sb box.
NOTES:
1) if a box goes offline, admin must force it back
online. It will not autojoin the
cluster.
2) if you want VPNs to failover, you must use FW1 4.1 clustering capabilities
with state sync.
3) I
installed SB and I can't talk to HSRP routers.
Typical symptoms include traceroutes that
ping-pong between HSRP routers. Cisco devices doing HSRP can't talk to
multicast MAC addresses (odd first number), even (or especially) with static arp
entries. You must remove static arp entry on the routers and put SB in
unicast MAC mode:
Run sbfcconfig
go into interface configuration and choose the relevant interface.
When it asks if you want to change this interface, say "yes" and update the interface with the SHARED MAC and IP address.
When it asks for multicast support, choose "no".
4) I am
using unicast MAC addresses and get intermittent failures/slow connections.
You may not be flooding unicast packets on the
unicast SB interface(s). Switches like to filter this. Replace with
a hub, use multicast MACs, or allow unicast flooding on the VLAN.
Home | Services | Training | Support | Contact Us | Search
Copyright 2006, Security Evolution, Inc.