Blue Coat Support Forum

[lvander]

Good morning,
We are having problems with multicating between our BlueCoat devices. We have 2x 8100-5 ProxySG devices sitting in a DMZ. They are sitting behind a Cisco 6513 (setup as a layer3 switch). The devices are configured to be active active, using DNS RoundRobin for load-balancing.

Our issue right now is that the devices can not communicate with each other via the multicast/broadcast communication, so they are unaware of which one is master. This is causing multiple issues with nightly process that run.

I believe that the BlueCoat side is configured properly using two VIP’s one being the master on each device. Each VIP has it’s own multicast IP of 224.x.x.x. Currently device A shows the first VIP as master, and so does device B. Same goes for the 2nd VIP, both devices showing as master.

Failover Config (from device A)
Group Address: 10.x.x.x
Multicast Address : 224.1.2.2
Local Address : 10.x.x.x
Secret : none
Advertisement Interval : 20
Priority : 254
Current State : MASTER
Flags : V(Virtual IP) M(Configured Master)

Group Address: 10.x.x.x
Multicast Address : 224.1.2.3
Local Address : 10.x.x.x
Secret : none
Advertisement Interval : 20
Priority : 100
Current State : MASTER
Flags : V(Virtual IP)

Global multicasting has been turned up on the switch, however the devices still will not communicate with each other. Short of putting in two static routes on the switch for the MAC of each VIP, I’m not sure what to do next. Logical next step would be to purchase a Physical load-balancer for that DMZ to eliminate the need for multicasting but we are hopping to use the current hardware we have in place.

Does anyone have any idea where or what to look at next?
Thanks in advance…

[w3wjr]

Do a capture on each bluecoat, for each 224 address. your looking to see if you see this packet on both sides of the switch
I think it's something like ip host 224.1.1.2

Do you see the packet leave BC 1 every 90 seconds, do you see it arrive at BC2 at the same time? Then do it again for the other IP address

My bets are this has to do with multicast not being enabled on 6500 that handles the trunk that supports the 2 bluecoats.

[lvander]

Correct we are not seeing the packet arrive on the either side. My T-Comm group has enabled multicasting on the switch, however it still does not work. They are wondering now if they need to make specific entries in the ACL’s to reflect each destination. That’s where they are not sure.

[lvander]

Sill working to get this resolved. I will make sure to update this post once I have a resolution.

[onepob]

Maybe you did this already. Search this forum for multicasting. There seems to be a lot of activity back in 2007 concerning multicasting issues between BC and Cisco devices. Maybe you will find something that applies to your situation.

[will]

Your multicast addresses are different for each box...

They need to be the same.

[lvander]

Thanks for the feedback!

From what we have learned we are not able to perform this the way we intended. What we were trying to accomplish was an active/active mode with two devices, with the load being distributed via DNS Round-Robin. In order to do that we needed to have a VIP address assigned to each device with multicasting enabled on the network so they could communicate. With a single VIP and both devices sharing the multicast address, that would only give us an active passive mode.

In order to make this work we would have had to create a layer 3 connection which would open a hole in our firewall from the inside out. Because of potential security risks we decided not to go this route.

As of right now I am working to get a load-balancer in place on that DMZ. This will allows us to eliminate the need for the VIP an multicasting. It will also provide us with an active/active environment where the load will be balanced evenly via the load-balancer.

This has been a learning experience and with a little more time we will have everything working fine.

Thanks…

[will]

yup, go the LB route. no mcast required and the ability to deploy active/active.

[singh47@un.org]

We are trying to set up Parallel failove on SG 810 by using VIP. Both proxies have configured for Multicast IP's, Bridge group and VIP as per documentation. But it's really giving me hard time I am getting very frequent network error.
Below is configuration, kindly some one advise me.
BC01

Version: SGOS 5.3.3.1 Proxy Edition
BEGIN networking
interface 0:0 ;mode
ip-address 10.134.253.12 255.255.255.0
exit
interface 1:0 ;mode
ip-address 10.134.254.12 255.255.255.0
exit
bridge ;mode
create "UNMIT-BC"
edit "UNMIT-BC" ;mode
failover group 10.134.253.14
attach-interface 0:0
spanning-tree 0:0 enable
exit
exit
ip-default-gateway 10.134.254.1 1 100
dns-forwarding ;mode
edit primary
clear server
add server 10.134.8.14
add server 10.134.4.12
exit
edit alternate
clear server
exit
exit
END networking
BEGIN networking
virtual-ip clear
virtual-ip address 10.134.253.14
failover ;mode
create 10.134.253.14
edit 10.134.253.14
multicast-address 224.1.2.12
interval 20
enable
exit
exit
END networking

UNMIT-BC01#show failover configuration
Failover Config
Group Address: 10.134.253.14
Multicast Address : 224.1.2.12
Local Address : 10.134.253.12
Secret : none
Advertisement Interval : 20
Priority : 254
Current State : MASTER
Flags : V(Virtual IP) M(Configured Master)

UNMIT-BC01#show failover statistics
Failover Statistics
Advertisements Received : 0
Advertisements Sent : 259
States Changes : 2
Bad Version : 0
Bad Packet : 0
Bad Checksum : 0
Packet Too Short : 0
Bad Packet Header : 0
Invalid Group : 0

BC02
Version: SGOS 5.3.3.1 Proxy Edition
BEGIN networking
interface 0:0 ;mode
ip-address 10.134.253.13 255.255.255.0
exit
interface 1:0 ;mode
ip-address 10.134.254.13 255.255.255.0
exit
bridge ;mode
create "UNMIT-BC"
edit "UNMIT-BC" ;mode
failover group 10.134.253.14
attach-interface 0:0
spanning-tree 0:0 enable
exit
exit
ip-default-gateway 10.134.254.1 1 100
dns-forwarding ;mode
edit primary
clear server
add server 10.134.4.12
exit
edit alternate
clear server
add server 10.134.8.14
exit
exit
END networking


BEGIN networking
virtual-ip clear
virtual-ip address 10.134.253.14
failover ;mode
create 10.134.253.14
edit 10.134.253.14
multicast-address 224.1.2.13
interval 20
enable
exit
exit
END networking





UNMIT-BC02#show failover statistics
Failover Statistics
Advertisements Received : 0
Advertisements Sent : 89
States Changes : 2
Bad Version : 0
Bad Packet : 0
Bad Checksum : 0
Packet Too Short : 0
Bad Packet Header : 0
Invalid Group : 0
UNMIT-BC02#show failover configuration
Failover Config
Group Address: 10.134.253.14
Multicast Address : 224.1.2.13
Local Address : 10.134.253.13
Secret : none
Advertisement Interval : 20
Priority : 100
Current State : MASTER
Flags : V(Virtual IP)

[lvander]

Hey, from looking over this log (if I am reading this correct) it looks like you have both BC01 and BC02 using the same VIP address but different multicast addresses, is that correct? And both are stated as master!

What exactly are you trying to accomplish here? Are you trying to setup an active/active proxy, or an active/passive proxy?

[lvander]

Also look at your error logs. Are you seeing any network errors with the devices trying to communicate? You may need to run a pcap to capture the flow! Also are these devices on an internal network? or in a secure DMZ? Are they sitting behind a load-balancer?

[singh47@un.org]

Thanks for reply.

We are trying to setup active/passive, just for failover. I follow the BlueCoat documentation, there is no packet drop when I am pinging to my VIP but on browser very frequently unable to load the page. Same time I checked on BC's the Failover status comes as " Unknown".

[anas.hijjawi]

You have to use the same multicast address, make one of the master

[aberry01]

It is definately possible to setup two SG devices as active/active and use the SG native failover with multicast. I have two devices with this configuration using VIPs as the master and backup IP addresses. The issue with a device not receiving the multicast broadcasts from the other device is probably caused by the network. If the multicast packets need to traverse subnets or multiple pieces of network equipment, the routers and switches may need to be configured to listen for and forward the multicast packets. This is a common issue when using multicast. You can refer to the Cisco documentation for more multicast configurations.

Alan Berry

[lvander]

That’s the same issue I was running into with our network equipment. The devices were not receiving the broadcast between each device to let each other know they were alive. Because of this we were not able to do an active/active environment. There are a few ways you can resolve this but they all depend on the security of your network. My company has a very secure and locked down environment which is why we were not able to make this work. The only resolution for us was to install physical load-balancer.

If you want to use an active/active environment you need to make sure you have 2 VIP’s. One will be the mater on your device A and the other will be the backup. The other device will just be reversed. Your network will need to allow the broadcast between the devices. Cisco does not have this enabled by default, you need to actually change this on the Cisco device. This will also affect if you are trying to do active/passive. Again if the devices can not receive that broadcast it will not know which device is up and which is down, thus they will both fight for traffic causing drop packets. Also keep in mind BlueCoat devices ARE NOT ASYNCHRONOUS so if a failover occurs the traffic will be dropped. Again the only way to resolve this is a physical load-balancer, you can configure the balancer to allow asynchronous connections. This should not be an issue in an active/passive environment but may be if you are trying to run active/active.

Not sure if this help or not! If you need more specific information feel free to contact myself directly, or your BlueCoat Sales Engineer, they should be able to assist you in getting this to work.