HIGH AVAILABILITY
Pre-Requisites:
- Same Hardware and Software version
- Same Interfaces
- Similar Licensing
- There is only configuration Sync [Not Date or Time Zone]
Note: Link & Path Monitoring must be enabled for Active Unit if Preemption is enabled.
If Preemption is disable then Link & Path Monitoring must be enabled for both units.
ACTIVE/PASSIVE
Both Firewalls share same configuration settings
One firewall becomes active and another standby
Priority is taken into account while deciding active & standby role.
Lowest Priority value is preferred [Default is 100]
Supported in Vwire, L2, L3 deployments.
HA1 and HA2 Links are required.
You may make configuration changes to Passive unit as well and it will automatically synchronize it too active.
ACTIVE/ACTIVE
Both Firewalls remain in Active state and both maintain session table.
Supported by Vwire and Layer 3 deployments only.
Does not Load Balance traffic although you can load share by sending traffic to peer.
Session Setup - Layer 2 to Layer 4 inspection (App-ID, Content-ID, and threat inspection)
Session Owner - Layer 7 operation.
HA1, HA2 and HA3 Links are required.
Note: The ip address in Active-Active Firewall can't be same for interfaces. Hence, we do require configure floating ip.
HA3 Interface
Session setup and for Layer 7 inspection (App-ID, Content-ID, and threat inspection) of asymmetrically routed sessions between active/active HA peers. The interface you use must be a dedicated Layer 2 interface set to Interface Type HA.
Session Owner Selection
The session owner is responsible for all Layer 7 inspection (App-ID and Content-ID) for the session and for generating all Traffic logs for the session. Select one of the following options to specify how to determine the session owner for a packet:
First packet — Select this option to designate the firewall that receives the first packet in a session as the session owner. This is the best practice configuration to minimize traffic across HA3 and distribute the data plane load across peers.
Primary Device — Select this option if you want the active-primary firewall to own all sessions. In this case, if the active-secondary firewall receives the first packet, it will forward all packets requiring Layer 7 inspection to the active-primary firewall over the HA3 link.
IP Modulo—Select the firewall that will respond to ARP requests based on the parity of the ARP requesters IP address.
IP Hash—Select the firewall that will respond to ARP requests based on a hash of the ARP requesters IP address.
Device 0 Priority—Set the priority for the firewall with Device ID 0 to determine which firewall will own the floating IP address.
Device 1 Priority—Set the priority for the firewall with Device ID 1 to determine which firewall will own the floating IP address.
A firewall with the lowest value will have the highest priority.
HA LINKS
1. Control Link [HA1]
HA1 Links is used to exchange Hello Packets, Heartbeats and Configuration Synchronization.
HA1 link is Layer 3 Link and requires IP address.
Heartbeat: It is an ICMP ping that is sent to peer every configured interval. It verifies network connectivity with Peer. Its defaults frequency is 2000ms.
If this link fails then it could result in asynchronous routing and generally called "SPLIT BRAIN" scenario.
Hello Message: It determines if the HA agent is running or not.
This message includes
-HA state of the Device
- Device Priority [8000ms]
2. Data Link [HA2]
HA2 Link is used to synchronize sessions, Forwarding tables, IPsec SAs, ARP tables.
Data Flow on HA2 is always unidirectional [Active / Standby]
Default transport is Layer 2 [IP address is not required]
Transport => Ethernet / IP/UDP
3. Backup Links (Optional)
Provides redundancy for HA1 and HA2
4. Packet Forwarding [HA3]
HA3 Link is required only in Active / Active configuration during session setup
Session Owner: Performs all Layer 7 processing such as App-ID, Content-ID and Threat scanning.
Session Setup: Performs Layer 2 to Layer 4 Processing.
Failover Conditions:
1. If 3 consecutive heartbeat messages are missed out
2. Link Monitoring - Monitored Interfaces go down.
3. Path Monitoring
4. Physical Hardware Failure.
Note: In Active-Active configuration virtual IP for zones is used instead of real ip while in Active-Standby setup same ip is used both side but here interface of standby Fw is administrative down.
If Preemption enabled then link Monitor or path monitoring configuration is good with Active Unit.
The Standby will take over only when Active Unit isn't Active due to above mentioned failover conditions.
ACTIVE PASSIVE SETUP
Step 1: Set minimum two interfaces in HA
Go to Device --> Interface
Step 2: Enable HA
Group ID will confirm which devices need to be in HA pair.
Say in Network there are Two sets of Firewalls Internal & External.
Group ID = Internal = 1
Group ID = External = 2
For Peer
Step 3: Set Device Priority to 90 (Lower is Preferred) to make it Active. The default is 100.
Enable Preemption
Default values of
Hold Down Time: 2000
Hello Time Interval: 8000
Heartbeat Interval: 2000
For Peer don't change default Priority i.e. let it be 100
Step 4: Configure Control Link (L3)
Monitor Hold Time (ms): 3000
Step 5: Configure Data Link.
Here ip address is required to be configured if devices are not directly connected.
Step 6: Go to Link and Path Monitoring & select interface you would like to monitor.
Step 7: Path Monitoring
IPSLA in Cisco: If path monitoring fails then failover.
IMPORTANT
In Active Standby
Active unit will have Interface status "GREEN"
Whereas Standby L3 interface is RED
Changes can be made to any unit and will reflect on another one.
You may config changes on PASSIVE and it will be reflected in Active One.
ACTIVE ACTIVE
Step 1: Select Device ID (It will be different for both devices)
Step 2: Here rest of config will be same as Active Standby but we will see an additional tab which is for HA3 interface config.
Select the interface which you would like to use for HA3 and also if you would like to sync virtual router or Qos.
Note here Session Owner Selection is one who receives first packet but there are other options as well.
Now assign floating id for all interfaces in different zones. Unlike Active standby now Ip address on all inside, outside & DMZ will have to be configured manually on both units.
Here e1/3 is our inside interface.
Comments