Force Orion High Availability to Utilize VIP as Source IP Address

Orion High Availability (HA) is designed to provide uninterrupted access to the Orion Web Console as well as incoming traffic (i.e. NetFlow, Syslog, Traps, Agents). For this purpose, HA allows using a Virtual IP address (VIP), Virtual Host Name (VHN) or both, depending on the environment where HA is implemented.

But from the other perspective of monitoring the outgoing traffic can utilize any of IP addresses associated with the HA pool - VIP (if configured) or any of IP addresses of the active pool members. That means devices have to answer polling queries (i.e. SNMP) coming from any of these three IP addresses. In many environments, this may not pose any trouble, as devices IPs allow traffic from any source or network access control lists are centralized and easily modified to allow these exceptions. However, in some cases devices are locked down to certain IP address. This is typically the VIP which was previously the IP address of the initial Orion server preceding the HA implementation. This would then result in failed polling (packets being dropped/refused, data not returned). Unfortunetly, this behavior results from the way operating system (Windows) makes the decision which IP address to use as a source, which is beyond an application's ability to control.

The Windows implementation of the TCP/IP stack provides a mechanisum for letting the system know which IP addresses can be skipped during the decision-making process. For that purpose, each IP address has a property - SkipAsSource - which can be modified on the fly and immediately affect the way outgoing traffic is sent out. One of the easiest ways of doing it is to use PowerShell in conjunction with Windows Task Scheduler. Below you can find an example PowerShell script which:

  1. Checks if the VIP exists on the server, in the example below '10.160.198.8', and sets its SkipAsSource to False and at the same time sets all remaining IP addresses SkipAsSource to True, which means that Windows will use VIP for outgoing traffic
  2. in case VIP does not exist on the server sets all remaining IP addresses' SkipAsSource to False, which means Windows will use any of the IP address available for outgoing traffic

<#
.SYNOPSIS
  Script adjusts SkipAsSource setting on IP addresses.

.DESCRIPTION
  Adjusting SkipAsSource settign on IP addressess allows Windows to direct traffic using as source IP address for which SkipAsSource is set to False.

.INPUTS
  None

.OUTPUTS
  None

.NOTES
  Version: 1.0
  Author: Mariusz Handke
  Creation Date: 2018-08-31
  Purpose/Change: Initial release
#>

$VIP = "10.160.198.8"
$IPS = Get-NetAdapter | Get-NetIPAddress -AddressFamily IPv4 | foreach { $_.ipaddress }
If ($IPS -Match $VIP) {
  foreach ($IP in $IPS) {
  Set-NetIPAddress –IPAddress $IP –SkipAsSource $True
  }
  Set-NetIPAddress –IPAddress $VIP –SkipAsSource $False
} Else {
  foreach ($IP in $IPS) {
  Set-NetIPAddress –IPAddress $IP –SkipAsSource $False
  }
}
Implementing it as an all-the-time running solution:
  1. Save the above script to a file on the server (i.e. C:\Orion_HA_set_IP_addresses.ps1)
  2. Using Windows Task Scheduler, create a simple task which executes the above script on a recurring schedule. Be aware that shortest repetition interval the script can be executed is every five minutes, and if you require more frequent execution simply create multiple triggers within the task (i.e. 00:00, 00:01, 00:02, 00:03, 00:04 each one repeated every 5 minutes resulting in execution every minute)

Script Behaviour description:

  1. When HA pool is set up with VIP and pool is enabled, HA service will assign VIP to the network interface card (NIC) of the active server
  2. At this point, all IP addresses have their SkipAsSource set to False
  3. When the script executes it adjusts the 'SkipAsSource' property of IP addresses resulting in the active server sending traffic with VIP as source
  4. When failover occurs, the HA service removes VIP from the server resulting in the short period of outgoing traffic failure due to remaining IP addresses set to be skipped
  5. When the script executes again (quicker the better) the failover process completes as the IP addresses has now available for outgoing traffic
  6. At this point, HA completes process letting standby server take over, from which process repeats from 1.

Disclaimer:

Parents Reply Children
No Data