Troubleshoot FireCluster

Applies To: Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

This section describes common issues that you might encounter with FireCluster and provides details on how to address those issues.

Cluster Master Cannot Discover the Other Cluster Member

When you enable FireCluster or use the Discover Member command in Firebox System Manager to discover a new member, the cluster master uses the configured cluster interface to discover the cluster member.

If the cluster master does not discover the new member:

• Make sure the cluster member Firebox is the same Firebox model and runs the same Fireware version as the cluster master.
• Make sure the Fireboxes are correctly connected to the correct cluster interface port on each Firebox.
• Make sure the new cluster member is started in factory-default settings. For more information on how to reset a Firebox, go to Reset a Firebox.
• If the cluster member has already been configured and is not currently in a factory-default state, you can save the configuration file of the cluster master to the cluster member Firebox to configure it as the backup master.

You might receive an error message in Firebox System Manager for the active cluster member that "The cluster members are running different Fireware OS versions", even if the Fireware versions of the members are the same. This occurs because the cluster members are not synchronized with each other. Check your connections, and use the Discover Member command again to establish the connection.

FireCluster Member is Inactive

If a cluster member (backup master) shows an "inactive" status, the cluster master was unable to contact this device.

• This status can indicate that the device is powered off, or is in the process of a reboot or upgrade.
• This status can also indicate a model mismatch, Fireware version mismatch, or a failed or disconnected cluster interface.
• Make sure the cluster member Firebox is the same Firebox model and runs the same Fireware version as the cluster master.
• Make sure the Fireboxes are correctly connected to the correct cluster interface port on each Firebox.

If the cluster member was already configured and is not currently in a factory-default state, it will not be automatically or manually discovered by the cluster master. To work around this issue, you can save the configuration file of the cluster master directly to the cluster member Firebox. For more information, go to Alternate FireCluster Configuration.

To automatically or manually discover a cluster member, you must start the cluster member Firebox in a factory-default state. For more information on how to reset a Firebox, go to Reset a Firebox.

FireCluster Status Not Available

If the FireCluster status information in the Dashboard > Front Panel section of Fireware Web UI or the Front Panel tab in Firebox System Manager does not load or display, there might be an issue with communications on the cluster interfaces of the two Fireboxes.

The primary and backup cluster interfaces must be on different, unused subnets. Make sure that you use subnets that do not overlap with any other local networks or VPN subnets such as BOVPN Virtual Interface IP Addresses. To avoid IP address conflicts with routable IP addresses, we recommend that you use Automatic Private IP Addressing (APIPA) subnets, also known as link-local addresses (169.254.0.1–169.254.255.254 with subnet mask 255.255.0.0).

Failover to the Backup Master Device Does Not Occur Unless You Physically Power Off the Master Device

In a FireCluster, a health metric, called the Weighted Average Index indicates the health of each member. This index measures the status of monitored ports, processes, and hardware. If the Weighted Average Index of the backup master is lower than on the cluster master, failover cannot occur. To view the Weighted Average Index and other health information for each cluster member, you can review the Cluster Health Section of the Status Report.

If the Weighted Average Index for one member is lower, review the other contributing indexes to determine whether that device has a possible hardware, software, or connectivity issue. For more information about the health indexes, go to Monitor Cluster Health.

Unable to Connect to a Specific Cluster Member

When you configure a FireCluster, you designate a Management IP address for each cluster member. If you cannot connect to a specific FireCluster member, make sure your management computer has a route to the Management IP address for that cluster member. For more information, go to About FireCluster Management IP Addresses.

Eliminate FireCluster as a Factor in a Network or Firebox Issue

To eliminate the FireCluster as a factor, you can temporarily disable FireCluster in the configuration.

1. Create a FireCluster Backup Image of your cluster master device.
2. Power off the backup master.
3. On the cluster master device, clear the Enable FireCluster check box.

If there is no change, it is unlikely that this issue is related to your FireCluster configuration. You might have to examine the physical or logical architecture of your network. To learn more about FireCluster network architecture, go to FireCluster.

When you disable the FireCluster, the backup master restarts with factory-default settings. To get the FireCluster back up, you must restore the backup image and then power on the other cluster member. If you neglect to perform this step, the other cluster member attempts to become the master again once it is powered back on, and you then have two Fireboxes with the same configuration and no clusters.