Failover
The security
appliance offers a failover function that provides a safeguard mechanism in the
event of unit failure. When a unit fails, anther immediately takes its place. The failover configuration requires two identical security
appliances connected to each other through a dedicated failover link and,
optionally, a stateful failover link. The health of the active interfaces and
units is monitored to determine if specific failover conditions are met. If
those conditions are met, failover occurs.
The security appliance supports two failover
configurations: Active/Active and Active/Standby Failover
1.) Active /Standby failover mode:-
In this mode only one unit (also called as
active unit) can pass traffic whereas the other unit is in standby state. This
type of mode is available in both single and multiple contexts.
2.) Active/Active failover mode:-
In this mode both devices pass the network
traffic by sharing bandwidth resources on both devices. This is also known as
load balancing. This type of mode is available in multiple contexts only.
Failover
requirements:-
- Be the same model.
- Have the same number & type of interface.
- Have the same amount of flash memory & the same amount of RAM.
- Same major and minor software version.
Failover
link:-
Use to monitor the health and
operating status of each unit in a failover mode.
State
Link:-
The security appliance supports
2 types of failovers regular and stateful. In a regular failover mode (non
stateful), all active connection are dropped and client need to reestablish
connection when the new active-unit take over, because the new device has no
knowledge about previous connections. In a stateful failover environment,
active connection does not need to reestablish when a failover occurs, because
active device send its state table to the other device.
Information
that is passed to standby unit in a stateful failover setup includes the
following:-
1.) NAT translation table
2.) TCP connection state
3.) UDP connection state
4.) The ARP entries
5.) The L2 bridge table when in
transparent mode
6.) HTTP connection states (IF HTTP
replication is enabled)
7.) The ISAKMP & IPSec tables
8.) Connection database for GPRS tunneling
protocol(GTP) Packet data Protocol(PDP)
The
information that is not passed :-
1.) The HTTP connection table (unless
HTTP replication is enabled)
2.) The user authentication (uauth)
table.
3.) The routing table
4.) Multicast traffic information
5.) State information for security
service cards.
In LAN
based failover, failover link and state link can be used in same interface or
at different interface.
for configuration you can go through this video I have uploaded.
No comments:
Post a Comment