======HIGH AVAILABILITY====== =====Overview===== * Dual-box solution * Protects against “catastrophic” unit failure * Loss of power * Assumes standby device and network maintains power… * Software failure * Minimise downtime during software upgrade cycles * Each device is upgraded whilst other device is active * Both devices can be independently managed * X-series HA is unrelated to the Intrinsic, Transparent or Zero Power HA features on T/E-series platforms =====Limitations===== * Active / Passive mode only * One unit is a cold standby monitoring the other * No connection state or any IPS synchronization * If a session is established through the primary when it fails, the entire session will fail and must be re-establis * VPN site-to-site and client links must be re-established * Routing information must be re-established for secondary * Passive unit can do Auto-DV updates through Internet link * No configuration synchronization * Any configuration change on one device must be repeated on other * Cannot simply download snapshot of configuration from other device * Certain configuration must be unique on each device * Certain configuration must be unique on each device --------------------------- =====Operation===== {{ :3com:tippingpoint:x506:general_configuration:dsgn_215.png?direct&600 |}} ====overview==== * Device pair wired “in parallel” * Unit boots and attempts to detect Active device over network using ARP * If not present, unit becomes the Active device and passes traffic * If Active device present, unit becomes Standby device * Passively polls Active device and does not pass traffic * Becomes Active device if current Active device fails to respond to ARP polling * Will remain Active device unless manually forced to Standby ------------------------ =====Configuration===== * Configuration * Pre-requisites: * Devices must have identical configuration * (except HA management IP addresses below must be unique) * External VI must have a static IP address * Connect ports for HA together either directly or via a network * Create tamper proof HA through dedicated back-to-back HA port connection * Enable HA globally * Optionally alter HA periodic poll timeout, retransmission period and count * User selects which Virtual Interfaces are used for HA monitoring and assigns each an HA Management IP address within VI subnet * HA Management IP address can be used to manage Standby device and as source IP for diagnostic tools such as ping, traceroute, etc. * GRE VIs are not used for HA =====CLI Configuration===== {{ :3com:tippingpoint:x506:general_configuration:dsgn_216.png?direct&600 |}} =====Standby Operation===== * Standby device ignores all traffic except to its HA management IP addresses * Standby device sends HA ARP request to each virtual interface IP address which has a HA management IP address * Standby HA management IP address used as source IP address * Active learns Standby HA management IP address * Active device replies with HA ARP response * Active HA management IP address used as source IP address * Standby learns Active HA management IP address * If Standby does not see a response on any virtual interface * Standby sends gratuitous ARP for virtual interface IP addresses * Directly connected switches associate HA MAC address with Standby * Standby takes on role of Active device =====Active Operation===== * Active device performs regular traffic routing using the normal virtual interface IP addresses * If Active device does not see HA ARP requests, it assumes either: * Standby device is not present * Peer device is also Active * Both devices may have been powered up disconnected and then connected * In both cases, active device will act as Standby and start sending HA ARP requests itself * If peer device is Active, it will respond with HA ARP response * This will cause HA pre-emption on initial device * It will fall-back to Standby mode =====Management===== * Active device can be managed using its regular virtual interface IP addresses or HA management IP addresses * If Active device transitions to Standby, any management session on its regular VI IP addresses will stop working * If Active device transitions to Standby, any management session on its regular VI IP addresses will stop working * The HA management IP address is also pingable * This IP address is also used for sourcing traffic such as ping, traceroute, etc * Standby device management can be via the Active device * VPN client termination on active device * Site-to-site VPN connection terminated on active device * The HA management IP addresses can only be used for management when HA is enabled =====Transitions===== * Standby device uses poll timer for periodic checking of Active device * If after the wait interval, Active device has not responded to HA poll * Standby device will retransmit HA ARP request * Retry count determines number of retransmissions * Only if Active device fails to respond on all HA IP addresses will Standby transition to Active * It can take up to two times the poll timer for the Standby device to transition to Active * The default poll timer is 4 seconds * When Standby device transitions to Active, its initial state is similar to just being powered on * All current IPS and Firewall state on Active device is “forgotten” * Includes Firewall sessions, IPS dynamically quarantined clients, etc =====Health===== {{ :3com:tippingpoint:x506:general_configuration:dsgn_217.png?direct&500 |}} --- //[[nce@itclatam.com|David Gonzalez]] 2021/04/09 09:24//