Blue Coat Support Forum

[lvander]

Good morning,
We are having problems with multicating between our BlueCoat devices. We have 2x 8100-5 ProxySG devices sitting in a DMZ. They are sitting behind a Cisco 6513 (setup as a layer3 switch). The devices are configured to be active active, using DNS RoundRobin for load-balancing.

Our issue right now is that the devices can not communicate with each other via the multicast/broadcast communication, so they are unaware of which one is master. This is causing multiple issues with nightly process that run.

I believe that the BlueCoat side is configured properly using two VIP’s one being the master on each device. Each VIP has it’s own multicast IP of 224.x.x.x. Currently device A shows the first VIP as master, and so does device B. Same goes for the 2nd VIP, both devices showing as master.

Failover Config (from device A)
Group Address: 10.x.x.x
Multicast Address : 224.1.2.2
Local Address : 10.x.x.x
Secret : none
Advertisement Interval : 20
Priority : 254
Current State : MASTER
Flags : V(Virtual IP) M(Configured Master)

Group Address: 10.x.x.x
Multicast Address : 224.1.2.3
Local Address : 10.x.x.x
Secret : none
Advertisement Interval : 20
Priority : 100
Current State : MASTER
Flags : V(Virtual IP)

Global multicasting has been turned up on the switch, however the devices still will not communicate with each other. Short of putting in two static routes on the switch for the MAC of each VIP, I’m not sure what to do next. Logical next step would be to purchase a Physical load-balancer for that DMZ to eliminate the need for multicasting but we are hopping to use the current hardware we have in place.

Does anyone have any idea where or what to look at next?
Thanks in advance…

[w3wjr]

Do a capture on each bluecoat, for each 224 address. your looking to see if you see this packet on both sides of the switch
I think it's something like ip host 224.1.1.2

Do you see the packet leave BC 1 every 90 seconds, do you see it arrive at BC2 at the same time? Then do it again for the other IP address

My bets are this has to do with multicast not being enabled on 6500 that handles the trunk that supports the 2 bluecoats.

[lvander]

Correct we are not seeing the packet arrive on the either side. My T-Comm group has enabled multicasting on the switch, however it still does not work. They are wondering now if they need to make specific entries in the ACL’s to reflect each destination. That’s where they are not sure.

[lvander]

Sill working to get this resolved. I will make sure to update this post once I have a resolution.

[onepob]

Maybe you did this already. Search this forum for multicasting. There seems to be a lot of activity back in 2007 concerning multicasting issues between BC and Cisco devices. Maybe you will find something that applies to your situation.

[will]

Your multicast addresses are different for each box...

They need to be the same.

[lvander]

Thanks for the feedback!

From what we have learned we are not able to perform this the way we intended. What we were trying to accomplish was an active/active mode with two devices, with the load being distributed via DNS Round-Robin. In order to do that we needed to have a VIP address assigned to each device with multicasting enabled on the network so they could communicate. With a single VIP and both devices sharing the multicast address, that would only give us an active passive mode.

In order to make this work we would have had to create a layer 3 connection which would open a hole in our firewall from the inside out. Because of potential security risks we decided not to go this route.

As of right now I am working to get a load-balancer in place on that DMZ. This will allows us to eliminate the need for the VIP an multicasting. It will also provide us with an active/active environment where the load will be balanced evenly via the load-balancer.

This has been a learning experience and with a little more time we will have everything working fine.

Thanks…

[will]

yup, go the LB route. no mcast required and the ability to deploy active/active.