TDEVIDAL07,

TDEVIDAL07 · ‎04-26-2017

Hello,

I try to deploy 2 vWSA in HA mod in VMWARE,

I have :

2 vWSA which make proxy correctly independantly

Failover group right configured

1 vSwitch in VMWARE

2 groups of ports (1 for the M1, 1 for the P1)

I can ping the virtual IP but, both vWSA are in Master mode, so the proxy don't work.

I don't know how to resolve it, i'have try all promiscious mode, forged transmit and MAC modification (in all combinaison of accept/reject).

Any idea?

Regards,

Farhan Mohamed · ‎04-26-2017

Please see the below link and see if you have deployed everything properly else it won't work:-

www.cisco.com/c/dam/en/us/td/docs/security/content_security/virtual_appliances/Cisco_Content_Security_Virtual_Appliance_Install_Guide.pdf

TDEVIDAL07 · ‎04-27-2017

I think there is 0 information about HA and VMWARE ESXI.

Do i miss something?

The problem is for the HA :

The NIC must have promiscious mode in accept to work properly. (Send packet on 224.0.0.18 and receive it)

The NIC must have forged trasmit in reject to be reachable. (Virtual IP can be ping)

But when this two mode are configure like that, NIC can send packets to 224.0.0.18, can be reachable BUT can receive packet from 224.0.0.18 so no one enter in backup stance and the vritual IP can't do is job of web proxy.

__________________________________

I had try a fresh install with only the IP configuration

The problem is still present

Appliance Version: S100V

OS: Async 9.0.1-161 (test with build 162 same issue)

Thomas Busch · ‎05-03-2017

TDEVIDAL07,

Please look at the below, especially focusing on the Net.ReversePathFwdCheckPromisc section as this sounds like what you are hitting.

Complete these steps in order to resolve this issue and stop the loop of multicast packets that are sent in the VMware environment:

Enable promiscuous mode on the Virtual Switch (vSwitch).
Enable MAC Address changes.
Enable Forged transmits.
If multiple physical ports exist on the same vSwitch, then the Net.ReversePathFwdCheckPromisc option must be enabled in order to work around a vSwitch bug where the multicast traffic loops back to the host, which causes the CARP to not function with link states coalesced messages. (Refer to the next section for additional information).

Modify the Net.ReversePathFwdCheckPromisc Option

Complete these steps in order to modify the Net.ReversePathFwdCheckPromisc option:

Log into the VMware vSphere client.
Complete these steps for each VMware host:
1. Click host, and navigate to the Configuration tab.
2. Click Software Advanced Settings from the left pane.
3. Click Net and scroll down to the Net.ReversePathFwdCheckPromisc option.
4. Set the Net.ReversePathFwdCheckPromisc option to 1.
5. Click OK.

The interfaces that are in Promiscuous mode must now be set, or turned off and then back on. This is completed on a per-host basis.

Complete these steps in order to set the interfaces:

Navigate to the Hardware section and click Networking.
Complete these steps for each vSwitch and/or Virtual Machine (VM) port group:
1. Click Properties from the vSwitch.
2. By default, Promiscuous mode is set to Reject. In order to change this setting, click edit and navigate to the Security tab.
3. Select Accept from drop-down menu.
4. Click OK.

TDEVIDAL07 · ‎05-03-2017

Hello,

I have found an issue, with a vSwitch with 2 physical interface, HA can't work

But with 1 physical int in a vSwitch, it works fine,

vSwitch mode :

promiscuous: reject

mac adress: accept

Forged: accept

Group of port :

promiscuous: accept

mac adress: accept

Forged: accept

Regards

virtual WSA and VMWARE

Modify the Net.ReversePathFwdCheckPromisc Option