RE: VRRP vs. Stonebeat

["Stefan Norberg" <stnor () sweden hp com>]

[snip]

> To me it is pretty unclear how VRRP determines a box being "dead" to
> initiate a failover. From what I know Stonebeat is very flexible in
> implementing failover conditions. To make it more clear let me describe
two
> or three scenarious here:
>
> 1) Interface goes down
> Usual failover condition. Both solutions can detect and will fail over.
Now
> lets assume the default gateway to the Internet is unreachable from the
> Firewall but the network interface stays up (e.g. because of the switch
the
> box is connected to has a  partial failure). With Stonebeat I can ping the
> default gateway for reachability and in case it is gone independent of the
> network interface status I can initial failover. How can VRRP handle that
?
>
VRRP itself cannot handle that fail condition as far as I know. Personally,
I'd use some kind of dynamic routing protocol (ie OSPF) or HSRP deal with
that.

> 2) Firewall process dies
> Can VRRP detect a dead Firewall process ? Here we would have a functional
> network connectivity, but the firewall processes on the box are gone, the
> box as a firewall is not operational. From what I know Stonebeat can
> detect, VRRP not.

A hack would be to run some kind of shell script that monitores the FW-1
processes and if there is a problem tries to restart the firewall software.
If that fails - just "ifconfig eth-sXpX down" an interface that is a
"monitored circuit" for the VRRP Virtual router, and you should see a
fail-over of the Virtual Router.

> 3) Proxy Server unreachable
> Same as 1) but instead of the default gateway a proxy in a DMZ is
> unreachable. How can VRRP detect (remember: interface still alive).
>
> I do not know either of the products in detail, so please correct me if
I'm
> wrong.

Is this really a condition where you want to fail-over?


Hope this helps,
Stefan Norberg