ITC/3AV WIKI

User Tools

Site Tools

Trace: high_availability
3com:tippingpoint:x506:general_configuration:high_availability

Table of Contents

HIGH AVAILABILITY

Overview

  • Dual-box solution
  • Protects against “catastrophic” unit failure
    • Loss of power
      • Assumes standby device and network maintains power…
    • Software failure
  • Minimise downtime during software upgrade cycles
    • Each device is upgraded whilst other device is active
  • Both devices can be independently managed
  • X-series HA is unrelated to the Intrinsic, Transparent or Zero Power HA features on T/E-series platforms

Limitations

  • Active / Passive mode only
    • One unit is a cold standby monitoring the other
    • No connection state or any IPS synchronization
      • If a session is established through the primary when it fails, the entire session will fail and must be re-establis
      • VPN site-to-site and client links must be re-established
      • Routing information must be re-established for secondary
    • Passive unit can do Auto-DV updates through Internet link
  • No configuration synchronization
    • Any configuration change on one device must be repeated on other
    • Cannot simply download snapshot of configuration from other device
      • Certain configuration must be unique on each device
  • Certain configuration must be unique on each device

Operation

overview

  • Device pair wired “in parallel”
  • Unit boots and attempts to detect Active device over network using ARP
    • If not present, unit becomes the Active device and passes traffic
  • If Active device present, unit becomes Standby device
    • Passively polls Active device and does not pass traffic
    • Becomes Active device if current Active device fails to respond to ARP polling
    • Will remain Active device unless manually forced to Standby

Configuration

  • Configuration
    • Pre-requisites:
      • Devices must have identical configuration
        • (except HA management IP addresses below must be unique)
      • External VI must have a static IP address
    • Connect ports for HA together either directly or via a network
      • Create tamper proof HA through dedicated back-to-back HA port connection
    • Enable HA globally
      • Optionally alter HA periodic poll timeout, retransmission period and count
    • User selects which Virtual Interfaces are used for HA monitoring and assigns each an HA Management IP address within VI subnet
    • HA Management IP address can be used to manage Standby device and as source IP for diagnostic tools such as ping, traceroute, etc.
    • GRE VIs are not used for HA

CLI Configuration

Standby Operation

  • Standby device ignores all traffic except to its HA management IP addresses
  • Standby device sends HA ARP request to each virtual interface IP address which has a HA management IP address
    • Standby HA management IP address used as source IP address
    • Active learns Standby HA management IP address
  • Active device replies with HA ARP response
    • Active HA management IP address used as source IP address
    • Standby learns Active HA management IP address
  • If Standby does not see a response on any virtual interface
    • Standby sends gratuitous ARP for virtual interface IP addresses
    • Directly connected switches associate HA MAC address with Standby
    • Standby takes on role of Active device

Active Operation

  • Active device performs regular traffic routing using the normal virtual interface IP addresses
  • If Active device does not see HA ARP requests, it assumes either:
    • Standby device is not present
    • Peer device is also Active
      • Both devices may have been powered up disconnected and then connected
  • In both cases, active device will act as Standby and start sending HA ARP requests itself
    • If peer device is Active, it will respond with HA ARP response
      • This will cause HA pre-emption on initial device
      • It will fall-back to Standby mode

Management

  • Active device can be managed using its regular virtual interface IP addresses or HA management IP addresses
    • If Active device transitions to Standby, any management session on its regular VI IP addresses will stop working
  • If Active device transitions to Standby, any management session on its regular VI IP addresses will stop working
    • The HA management IP address is also pingable
    • This IP address is also used for sourcing traffic such as ping, traceroute, etc
    • Standby device management can be via the Active device
      • VPN client termination on active device
      • Site-to-site VPN connection terminated on active device
  • The HA management IP addresses can only be used for management when HA is enabled

Transitions

  • Standby device uses poll timer for periodic checking of Active device
  • If after the wait interval, Active device has not responded to HA poll
    • Standby device will retransmit HA ARP request
      • Retry count determines number of retransmissions
  • Only if Active device fails to respond on all HA IP addresses will Standby transition to Active
  • It can take up to two times the poll timer for the Standby device to transition to Active
    • The default poll timer is 4 seconds
  • When Standby device transitions to Active, its initial state is similar to just being powered on
    • All current IPS and Firewall state on Active device is “forgotten”
      • Includes Firewall sessions, IPS dynamically quarantined clients, etc

Health

David Gonzalez 2021/04/09 09:24

3com/tippingpoint/x506/general_configuration/high_availability.txt · Last modified: 2021/04/09 09:26 by dgonzalez
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki