Third-Party High Availability Support and Limitations

The following sections describe IDP Series support for high availability deployments:

Third-Party High Availability Overview

IDP OS Release 5.1 supports high availability in network designs where you have deployed redundant network paths and use the failure detection features of a firewall, router, or switch to manage the cutover from the primary path to the backup path in cases of failure. In these deployments, you implement:

The following sections provide details:

State Synchronization

You establish state synchronization between the primary and the standby IDP Series device by connecting the IDP Series HA interfaces (eth1) with a crossover cable. In addition, you must use the Appliance Configuration Manager (ACM) to enable the Third-Party HA setting. You can use the sctop command-line utility to monitor state and flow synchronization.

Link State Signaling

You enable an IDP Series link state signaling mechanism so that it responds as expected to the third-party device link checking mechanism. You have the following choices:

Note: Due to a hardware limitation with 10 gigabyte fiber interface modules, interface signaling and PPM are not supported for the IDP8200 10 gigabyte fiber I/O module.

Third-Party High Availability Requirements

Table 7 summarizes deployment component requirements. We support deployment of active-passive, failover pairs. We do not support active-active deployments.

Table 7: Third-Party HA Requirements

Component

Requirement

IDP Series devices

Hardware – same model.

Software – same version.

Same configuration and same security policy.

Autorecovery enabled (default). HA can function if auto-recovery is disabled, but we recommend you leave it enabled so that easily recoverable conditions do not result in unnecessary failover operations.

Traffic interfaces. Virtual routers (interface pairs) must be set to transparent mode. We have not tested and do not support HA state sync when virtual routers are configured in sniffer mode or when the device is deployed in mixed mode.

You must enable one virtual router named vr0. When you enable HA with ACM, the HA interface (eth1), gets added to vr0. The eth1 interface is not involved in traffic forwarding. It must belong to vr0 as a system requirement.

Note: The HA feature monitors interface status, so unplugging and plugging in interface cables is significant. Use the CLI hasignal.sh restart command to reinitialize HA interface monitoring any time you plug in or unplug a traffic interface.

Simulation mode. Simulation mode is not a deployment mode, rather it is an operational mode. The simulation mode setting does not preclude your ability to enable HA or deploy the devices as an HA active-passive cluster. Note, however, that a device deployed in simulation mode is not likely to encounter failure.

Layer 2 bypass enabled.

NIC bypass set to Nics off. This setting is enforced by ACM. If you enable HA, you cannot enable NIC bypass.

HA interface

The eth1 interfaces must be connected directly with a cross-over cable (so must be physically close).

Third-party HA mechanism

  • Juniper Networks ScreenOS firewalls, running NetScreen Redundancy Protocol (NSRP)*
  • Juniper Networks EX Series switches, running a spanning tree protocol: STP, MSTP, RTSP, or VSTP**
  • Other vendors’ firewalls, running Virtual Router Redundancy Protocol (VRRP)
  • Other vendors’ switches, running STP***
  • Routers running Hot Standby Redundancy Protocol (HSRP)

_________
* IDP OS 5.1 was tested with Juniper Networks ISG1000 running ScreenOS version 5.4.0R3.
** IDP OS 5.1 was tested with Juniper Networks EX4200 running Junos OS 10.2R1.
*** IDP OS 5.1 was tested with Cisco Catalyst C3500XL running version 12.0.

State Sync Limitations

When the active IDP Series device sets up a new session for inspection, it sends TCP session information to the standby IDP Series device. As processing continues, the active device sends application identification results to the standby device to populate the backup device application identification cache.

In case of failure, the switch or firewall cuts over to the redundant path and the standby device begins receiving traffic. When processing the retransmitted sessions where sync information is available, APE rules are enforced. The following limitations are expected:

The failover device handles all new sessions as you would expect a standalone device to handle a session.

Related Documentation