9High Availability166HA issuesThe following points should be kept in mind when managing and configuring an HA cluster.All cluster interfaces need IP addressesAll interfaces on both HA cluster units should have a valid private IP address object assigned tothem. The predefined IP object local host could be assigned for this purpose. The requirementto assign an address is true even if an interface has been disabled.SNMPSNMP statistics are not shared between master and slave. SNMP managers have no failovercapabilities. Therefore both security gateways in a cluster need to be polled separately.LoggingLog data will be coming from both master and slave. This means that the log receiver will haveto be configured to receive logs from both. It also means that all log queries will likely have toinclude both master and slave as sources which will give all the log data in one result view.Normally, the inactive unit will not be sending log entries about live traffic so the outputshould look similar to that from a single security gateway.Using private individual IP addressesThe unique individual IP addresses of the master and slave cannot safely be used for anythingbut management. Using them for anything else, such as for source IPs in dynamically addresstranslated connections or publishing services on them, will inevitably cause problems sinceunique IPs will disappear when the security gateway they belong to does.Changing the cluster IDChanging the cluster ID in a live environment is not recommended for two reasons. First, thiswill change the hardware address of the shared IPs and will cause problems for all unitsattached to the local LAN, as they will keep the old hardware address in their ARP caches untilit times out. Such units would have to have their ARP caches flushed.Second, this breaks the connection between the security gateways in the cluster for as long asthey are using different configurations. This will cause both gateways to go active at the sametime.HA limitations with IPsecEstablished IPsec tunnels are preserved during an HA failover. However, the IKE negotiationphase of tunnel setup is not preserved by a failover. In this case, the tunnel will need to be setup again from the beginning.