HIGH AVAILABILITY

• Dual-box solution
• Protects against “catastrophic” unit failure
  • Loss of power
    • Assumes standby device and network maintains power…
  • Software failure

    • Minimise downtime during software upgrade cycles
      • Each device is upgraded whilst other device is active
    • Both devices can be independently managed
    • X-series HA is unrelated to the Intrinsic, Transparent or Zero Power HA features on T/E-series platforms

• Active / Passive mode only
  • One unit is a cold standby monitoring the other
  • No connection state or any IPS synchronization
    • If a session is established through the primary when it fails, the entire session will fail and must be re-establis
    • VPN site-to-site and client links must be re-established
    • Routing information must be re-established for secondary
  • Passive unit can do Auto-DV updates through Internet link
• No configuration synchronization
  • Any configuration change on one device must be repeated on other
  • Cannot simply download snapshot of configuration from other device
    • Certain configuration must be unique on each device
• Certain configuration must be unique on each device

• Device pair wired “in parallel”
• Unit boots and attempts to detect Active device over network using ARP

  • If not present, unit becomes the Active device and passes traffic
  • If Active device present, unit becomes Standby device
  • Passively polls Active device and does not pass traffic
  • Becomes Active device if current Active device fails to respond to ARP polling
  • Will remain Active device unless manually forced to Standby

• Configuration
  • Pre-requisites:
    • Devices must have identical configuration
      • (except HA management IP addresses below must be unique)
    • External VI must have a static IP address
  • Connect ports for HA together either directly or via a network
    • Create tamper proof HA through dedicated back-to-back HA port connection
  • Enable HA globally
    • Optionally alter HA periodic poll timeout, retransmission period and count
  • User selects which Virtual Interfaces are used for HA monitoring and assigns each an HA Management IP address within VI subnet
  • HA Management IP address can be used to manage Standby device and as source IP for diagnostic tools such as ping, traceroute, etc.
  • GRE VIs are not used for HA

• Standby device ignores all traffic except to its HA management IP addresses
• Standby device sends HA ARP request to each virtual interface IP address which has a HA management IP address
  • Standby HA management IP address used as source IP address
  • Active learns Standby HA management IP address
• Active device replies with HA ARP response
  • Active HA management IP address used as source IP address
  • Standby learns Active HA management IP address
• If Standby does not see a response on any virtual interface
  • Standby sends gratuitous ARP for virtual interface IP addresses
  • Directly connected switches associate HA MAC address with Standby
  • Standby takes on role of Active device

• Active device performs regular traffic routing using the normal virtual interface IP addresses
• If Active device does not see HA ARP requests, it assumes either:
  • Standby device is not present
  • Peer device is also Active
    • Both devices may have been powered up disconnected and then connected
• In both cases, active device will act as Standby and start sending HA ARP requests itself
  • If peer device is Active, it will respond with HA ARP response
    • This will cause HA pre-emption on initial device
    • It will fall-back to Standby mode

• Active device can be managed using its regular virtual interface IP addresses or HA management IP addresses
  • If Active device transitions to Standby, any management session on its regular VI IP addresses will stop working
• If Active device transitions to Standby, any management session on its regular VI IP addresses will stop working
  • The HA management IP address is also pingable

    • This IP address is also used for sourcing traffic such as ping, traceroute, etc
    • Standby device management can be via the Active device
      • VPN client termination on active device
      • Site-to-site VPN connection terminated on active device
    • The HA management IP addresses can only be used for management when HA is enabled

• Standby device uses poll timer for periodic checking of Active device
• If after the wait interval, Active device has not responded to HA poll
  • Standby device will retransmit HA ARP request
    • Retry count determines number of retransmissions
• Only if Active device fails to respond on all HA IP addresses will Standby transition to Active
• It can take up to two times the poll timer for the Standby device to transition to Active
  • The default poll timer is 4 seconds
• When Standby device transitions to Active, its initial state is similar to just being powered on
  • All current IPS and Firewall state on Active device is “forgotten”
    • Includes Firewall sessions, IPS dynamically quarantined clients, etc

— David Gonzalez 2021/04/09 09:24