Build a cluster

This section describes how to build an ASMS HA or DR cluster, starting with the primary appliance. Data from the local or primary appliance is copied to the secondary or remote appliance during the build process.

Note: ASMS supports building a high availability architecture on the central manager as well as on geographic distribution nodes.

For details, see;

Note: The amount of time the build process requires is dependent on the size of the database and the monitoring directory, and may be significant.

Verify cluster connectivity

If communication between the primary and secondary appliances goes through a firewall, make sure to allow traffic between their defined communication ports and services in both directions.

For more details, see Required port connections.

Important: For HA clusters, you must not make any changes to the iptables service.

This service is crucial to the communication between the nodes, and any manual changes may compromise the environment.

Back to top

HA clusters only: Add a second interface

Before building an HA cluster deployed as a virtual appliance, configure the VM hardware to add a second interface.

Do the following:

  1. Access the VM configuration for the VM hardware.

  2. Add a second network adapter, and enable it as Connected.

    For example:

  3. Verify your interface configuration.

    As user root, run: ifconfig -a

    A list of all detected interfaces is displayed. Compare your interfaces to ensure that they are configured as needed.

    Note: You do not need to configure an IP address on the second interface. This will be configured when you build the cluster.

Continue with Build an ASMS HA or DR cluster.

Back to top

Build an ASMS HA or DR cluster

This procedure describes how to build an ASMS HA or DR cluster, or to rebuild one with default parameters.

Do the following:

  1. Licenses: Before building a cluster, make sure licenses are installed on primary and secondary nodes. See Install license to an HA/DR cluster.

  2. If you are configuring an HA cluster on AlgoSec Hardware Appliances by connecting the appliances via network cable, connect one end of a crossover cable to the ETH1 port on each appliance.

    Tip: Connecting via network cable helps to ensure that failover does not occur due to network connection issues.

  3. From the appliance that will be the primary node, connect to the ASMS Administration Interface. For details, see Connect to and Utilize the Administration Interface.

  4. In the Administration Interface, enter 13. The following prompt appears:

    *HA/DR is not configured*

    Please select an item or enter "a" to abort:

    1. Build HA cluster

    2. Build DR cluster

    3. Collect Logs

    Your choice:

  5. Enter the number for the option you want to continue with, and then continue with the wizard as prompted. The primary appliance is always the local machine.

    HA clusters

    Enter the following details, as prompted:

    • The cluster's virtual IP address and the virtual IP's subnet mask.

    • The primary appliance's eth1 IP address.

    • The secondary appliance's IP address, ping node IP address, root password, and node name.

    • The secondary appliance's eth1 IP address.

    • The witness machine IP address (ping node address).

      Tip: Select a ping node that reflects the local appliance's connectivity, and is reachable exclusively from that interface. We recommend selecting switches and routers for this purpose. Do not select the local or remote appliance, or a workstation.

    • The subnet mask for the primary and secondary appliances.
    • The subnet mask for the eth1 of the primary and secondary appliances.
    DR clusters

    Enter the following details, as prompted;

    The primary machine's IP address and node name.

    The DR primary machine's IP address, root password and node name.

    A summary of the primary and secondary appliances' information appears and you are prompted to confirm the details.

  6. Enter y to confirm the summary.

    The system begins to build the cluster. This may take some time, depending on the amount of ASMS data.

    When complete, a success message appears with the cluster status, and an email confirmation is sent to the administrator email.

    Tip: If initial synchronization results in an Rsync error, we recommend selecting option 2: Continue despite rsync failure. Synchronization should succeed the second time.

  7. Optional: Customize HA/DR parameters. For details, see Configure HA/DR parameters.
  8. On the Central Manager, go to Administration > Architecture tab:
    1. Select the Remote Agent from the list and click Edit.
    2. Change the IP of the Remote Agent to the virtual IP address of the Remote Agent cluster.
    3. Click OK.

  9. If your machine is now part of an HA cluster, you'll need to also update the appliance's IP address in other systems that send data to ASMS.

Note: Report synchronization from the primary appliance to the secondary appliance is based on NAS configuration. Reports are only synched to the secondary appliance is NAS is not configured.

Back to top