Bug 121173 - Unable to enable HA using southbound IPs - latest 22.1.4 (056d3fc)
Customer using south bound IP to enable HA , after the upgrade to Dec 2024 release we have seen issues that port 5432 is not reachable while enabling HA using south bound IP . .
Please follow the below workaround for this issue.
Workaround 1:-
=================
Step 1:-
On Primary director:-
> Update the iptables of Northbound ip of primary director and southbound ip's of both directors with the ports 22,4566,4570 & 5432
sudo iptables-save > /tmp/iptable
sudo vi /tmp/iptable
-A VNMSHA -s <Northbound ip of primary director /32> -p -m tcp --dport 22 -j ACCEPT
-A VNMSHA -s <Northbound ip of primary director /32> -p -m tcp --dport 4566 -j ACCEPT
-A VNMSHA -s <Northbound ip of primary director /32> -p -m tcp --dport 4570 -j ACCEPT
-A VNMSHA -s <Northbound ip of primary director /32> -p -m tcp --dport 5432 -j ACCEPT
-A VNMSHA -s <southbound ip of primary director /32> -p -m tcp --dport 22 -j ACCEPT
-A VNMSHA -s <southbound ip of primary director /32> -p -m tcp --dport 4566 -j ACCEPT
-A VNMSHA -s <southbound ip of primary director /32> -p -m tcp --dport 4570 -j ACCEPT
-A VNMSHA -s <southbound ip of primary director /32> -p -m tcp --dport 5432 -j ACCEPT
-A VNMSHA -s <southbound ip of secondary director /32> -p -m tcp --dport 22 -j ACCEPT
-A VNMSHA -s <southbound ip of secondary director /32> -p -m tcp --dport 4566 -j ACCEPT
-A VNMSHA -s <southbound ip of secondary director /32> -p -m tcp --dport 4570 -j ACCEPT
-A VNMSHA -s <southbound ip of secondary director /32> -p -m tcp --dport 5432 -j ACCEPT
>write the file and exit
On Secondary director:-
> Update the iptables of both Northbound ip's and southbound ip's of the directors with the ports 22,4566,4570 & 5432
-A VNMSHA -s <Northbound ip of primary director /32> -p -m tcp --dport 22 -j ACCEPT
-A VNMSHA -s <Northbound ip of primary director /32> -p -m tcp --dport 4566 -j ACCEPT
-A VNMSHA -s <Northbound ip of primary director /32> -p -m tcp --dport 4570 -j ACCEPT
-A VNMSHA -s <Northbound ip of primary director /32> -p -m tcp --dport 5432 -j ACCEPT
-A VNMSHA -s <southbound ip of primary director /32> -p -m tcp --dport 22 -j ACCEPT
-A VNMSHA -s <southbound ip of primary director /32> -p -m tcp --dport 4566 -j ACCEPT
-A VNMSHA -s <southbound ip of primary director /32> -p -m tcp --dport 4570 -j ACCEPT
-A VNMSHA -s <southbound ip of primary director /32> -p -m tcp --dport 5432 -j ACCEPT
-A VNMSHA -s <Northbound ip of secondary director /32> -p -m tcp --dport 22 -j ACCEPT
-A VNMSHA -s <Northbound ip of secondary director /32> -p -m tcp --dport 4566 -j ACCEPT
-A VNMSHA -s <Northbound ip of secondary director /32> -p -m tcp --dport 4570 -j ACCEPT
-A VNMSHA -s <Northbound ip of secondary director /32> -p -m tcp --dport 5432 -j ACCEPT
-A VNMSHA -s <southbound ip of secondary director /32> -p -m tcp --dport 22 -j ACCEPT
-A VNMSHA -s <southbound ip of secondary director /32> -p -m tcp --dport 4566 -j ACCEPT
-A VNMSHA -s <southbound ip of secondary director /32> -p -m tcp --dport 4570 -j ACCEPT
-A VNMSHA -s <southbound ip of secondary director /32> -p -m tcp --dport 5432 -j ACCEPT
>write the file and exit
Step 2:-
Run this command on both the directors before enabling HA
white true; do sudo iptable-restore < /tmp/iptable ; sleep 1; done
once you run this command enable HA from UI
Step 3:-
After HA is enabled successfully then run the below command on both the directors
sudo /etc/init.d/netfilter-presistent save
To check the iptables for new entries
sudo iptables -L --line-numbers
Workaround 2:-
==================
Enable HA using North bound ip address instead of south bound ip's.
