GFI Software Aurea SMB Solutions


Home » GFI User Forums » Kerio Control » New 9.3.0 beta 1 with HA
New 9.3.0 beta 1 with HA [message #145381] Wed, 27 March 2019 17:04 Go to next message
giampos is currently offline  giampos
Messages: 78
Registered: May 2005
Someone has downloaded and tested this beta with high availabity?? (cluster)
Re: New 9.3.0 beta 1 with HA [message #145383 is a reply to message #145381] Wed, 27 March 2019 20:15 Go to previous messageGo to next message
Columbia is currently offline  Columbia
Messages: 192
Registered: August 2014
Location: Moscow
I have installed for testing. Everything looks good initially. Will dive into the clustering functionality later when I have more free time or in productivity.
Re: New 9.3.0 beta 1 with HA [message #145403 is a reply to message #145381] Fri, 29 March 2019 20:07 Go to previous messageGo to next message
billybob is currently offline  billybob
Messages: 27
Registered: October 2018
I am running it in a vm and it looks good initially. HA is probably more suited for deployments with hardware appliances that can't afford any downtime. Since I upgraded to 9.2.9, with swap enabled my kerio has been really stable.
As I mentioned in the kerio google group, I haven't had a chance to test clustering but will probably test it this weekend

Regards
Bill
Re: New 9.3.0 beta 1 with HA [message #145417 is a reply to message #145403] Tue, 02 April 2019 15:50 Go to previous messageGo to next message
lessore is currently offline  lessore
Messages: 45
Registered: October 2010
Location: Munich
Hi everyone,

i just tested HA with two identical Hardware Boxes ( not Kerio NG series ). Configuration went smooth and the slave box was able to take over end routet my testclients to the internet ( Master was shutdsown before )
But iam not able to login to the slave box and to check if the configuration snyc is working correctly. I also created before HA Sync configuration a second adminuser and this user is also not able to login into the slave kerio control unit.
Are there any ways how to troublesshot whats going wrong during the configuration sync ?

Regards
Re: New 9.3.0 beta 1 with HA [message #145418 is a reply to message #145417] Tue, 02 April 2019 15:58 Go to previous messageGo to next message
billybob is currently offline  billybob
Messages: 27
Registered: October 2018
Did you try using the virtual IP or the IP of kerio control. I think there are still a few things that need to be ironed out before the final release.
I was having issues logging in when I first created the cluster but then I was able to go and change settings using the IP address of kerio control and manage each firewall without problems.

Since nobody else is testing this beside you and me, go ahead and give your feedback directly at https://groups.google.com/forum/#!category-topic/gfi-insider /gfi-insider-announcements/Ga57VzCOs8Q

Regards
Bill
Re: New 9.3.0 beta 1 with HA [message #145419 is a reply to message #145417] Tue, 02 April 2019 15:59 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 238
Registered: March 2017
Location: Malta
Hi

this issue has been identified and fixed (will be available in 9.3 release soon). Can you try re-enabling HA on the master to see if you can access the slave?


Regards


Ian Bugeja
GFI Software
Re: New 9.3.0 beta 1 with HA [message #145421 is a reply to message #145419] Tue, 02 April 2019 16:51 Go to previous messageGo to next message
lessore is currently offline  lessore
Messages: 45
Registered: October 2010
Location: Munich
Hello guys,

after re-enabling HA setup i have acess to the slave. All settings and configurations are synced correctly.
Many thanks for your assistance.

[Updated on: Tue, 02 April 2019 16:51]

Report message to a moderator

Re: New 9.3.0 beta 1 with HA [message #145442 is a reply to message #145421] Thu, 04 April 2019 14:44 Go to previous messageGo to next message
lessore is currently offline  lessore
Messages: 45
Registered: October 2010
Location: Munich
Hi,
just a last question.
Shoud HA also sync the licence information ? In my test, only the licence information was not synced from the master kerio control. Do we need a special HA Licence or something like that ?

regards
lessore
Re: New 9.3.0 beta 1 with HA [message #145443 is a reply to message #145442] Thu, 04 April 2019 14:56 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 238
Registered: March 2017
Location: Malta
The same license can be used on both boxes. You can apply it manually.



Ian Bugeja
GFI Software
Re: New 9.3.0 beta 1 with HA [message #145450 is a reply to message #145443] Fri, 05 April 2019 09:34 Go to previous messageGo to next message
JeriMind is currently offline  JeriMind
Messages: 12
Registered: March 2016
if the modem is direct connected to kerio control. How must be connected for Failover?
Re: New 9.3.0 beta 1 with HA [message #145457 is a reply to message #145450] Fri, 05 April 2019 21:27 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 238
Registered: March 2017
Location: Malta
It depends what type of modem. If modem has multiple ethernet ports you can link directly to control, other you need a switch.



Ian Bugeja
GFI Software
Re: New 9.3.0 beta 1 with HA [message #145492 is a reply to message #145457] Wed, 10 April 2019 00:35 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 160
Registered: April 2012
Location: Oxford(ish) UK

Hi All

I managed to find on the GFI site the guide to setting up the new HA option of Control

https://manuals.gfi.com/en/kerio/control/content/high-availa bility/high-availability-overview.htm?Highlight=high%20avail ability

Looking at the network diagram it only shows one internet connection

Can you please confirm that this HA configuration will also work with multiple internet (WAN) connections (all our installations have two interfaces and some three)

If the set up only works with one internet connection this does not appear to be a very good solution as you swap the ability to have redundant internet connections with the option to have redundant Control boxes and (IMHO) you are more likely to lose an internet connection than a Control box


Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL
Re: New 9.3.0 beta 1 with HA [message #145507 is a reply to message #145492] Wed, 10 April 2019 13:25 Go to previous messageGo to next message
ian.bugeja is currently offline  ian.bugeja
Messages: 238
Registered: March 2017
Location: Malta
Yes, it can work with multiple WAN links.

Ian Bugeja
GFI Software
Re: New 9.3.0 beta 1 with HA [message #145516 is a reply to message #145507] Wed, 10 April 2019 19:56 Go to previous messageGo to next message
robinbateman is currently offline  robinbateman
Messages: 160
Registered: April 2012
Location: Oxford(ish) UK

Hi Ian

Thanks for the reply

Can you explain how this works with multiple PPOE connections please

Also, considering the network diagram on the previously mentioned link, there is only one WAN side switch so it appears that you have swapped the single point of failure from the Firewall to the network switch


Robin Bateman
One Red Mouse
Blog: http://bit.ly/OWjcGL
Re: New 9.3.0 beta 1 with HA [message #145532 is a reply to message #145516] Thu, 11 April 2019 18:19 Go to previous messageGo to previous message
nhoague is currently offline  nhoague
Messages: 503
Registered: April 2010
Location: Lakewood, CO
Hey all! Long time since Ive had anything to post here, but the new Kerio Control 9.3 with HA is worth a post! First and foremost, thank you Kerio for beginning work on this! I say beginning work, because I don't think its bullet proof yet. Here is my experiences:

1) Our NG500 has about 15 VLANs and a huge list of traffic rules. Per your webinar, the guy began with a very basic configuration and everything just magically worked. Fair enough. However, I found it best to restore from a full backup to our spare NG500 so that all of the interfaces would have the same names and IP configuration. That said, I read that interfaces wouldn't sync with the HA setup. So if I were to create a new VLAN, I assume I would have to duplicate that effort on the spare box. Not a big deal, at first, but I think thats something that should be considered.

2) The error messages about the HA sync interface not having an assigned IP is misleading. Rather I realized that I would always get that message UNLESS both NG500 were connected on the HA interface port.

3) Now here is a weird behavior. We had the WAN setup as multiple internet links with load balancing. Anytime I would make a config change on the MASTER, regardless if it was a user added or traffic rule modified, the SLAVE would act as if it was rebooting. I would lose ping, and webadmin for about 20 seconds, then be prompted with the login screen for the SLAVE. But, if I changed the WAN ports to singe internet link, this would not happen. Odd?

4) Now, the most important part. After changing the WAN port to single I could make changes and see the sync progress work ok. So thats cool. BUT, we own a full /24 block of IPs, and the WAN is supplied by BigLeaf. Regardless of /24 or /30 wouldn't the WAN ports need to have the same public IP configured? This causes a problem in that the SLAVE would bring the WAN interface up and thereby creating a duplicate IP situation with the ISP, and since the virtual LAN IP is disabled because the SLAVE is in slave mode, traffic wouldn't flow. Then after some time the MASTER would reconnect to the WAN and traffic flows. In the HA config you mention choose the interfaces and supply the virtual IP. Well, I can only put one IP in the virtual IP. I have 254. How do I do that?!

4a) Expected behavior: like other firewall that do HA, the SLAVE disables all local ports (WAN, and LAN, except for the HA port) until they are needed. So ideally, the WAN port(s) should be disabled unless the SLAVE determines it needs go active. Right?

So to summarize, HA is awesome to begin work on. I can't wait until its bulletproof ... that said if I'm missing something please enlighten me! Things that need work: adding interfaces (such as VLANs to the SLAVE configuration), why the hiccup and restart of network services, and the WAN redundancy. Oh and which btw, in your screenshots for the manual your WAN ports have two different public IPs. That makes sense, but what about us companies that host multiple servers internally. We can't tell our users to access mail on a different IP, or even have a round robin DNS as it would timeout every 4th attempt?

Thank you so much for your hard work on this, and please contact me for more comments, or to assist me, in the event I'm totally overlooking something! (303) 586-5745 ext 103. Thank you!
Previous Topic: Network not reachable over vpn after migrating to NG500
Next Topic: kerio vpn client site
Goto Forum:
  


Current Time: Fri Jul 19 23:10:10 CEST 2019

Total time taken to generate the page: 0.04132 seconds