Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: IDP Series HA Design with Juniper Networks ScreenOS Firewalls

    The following sections describe an example redundant path deployment where the Juniper Networks NetScreen Redundancy Protocol (NSRP) feature monitors the health of the network path:

    Topology

    Figure 1 shows a network topology where there are redundant paths to the Internet. One path is active and the other is passive.

    Figure 1: Redundant Path Design: IDP Series HA Depends on NSRP (Juniper Networks SSG Series)

    Image g036670.gif

    In the deployment with IDP Series, the ScreenOS Track IP feature monitors the link state of the connection to the switch. If the IDP Series device encounters failure and cannot forward traffic, it causes the IP Track probe to the switch to fail. The firewall then forces traffic to the other path.

    Deployment Steps

    To deploy this solution, follow these basic steps:

    1. Set up and configure the ScreenOS firewalls using the documentation that came with your firewall. Note the following requirements:

      • Hardware—Essentially, deploy the ScreenOS devices in an active-passive HA cluster as you normally would (without regard to the IDP Series devices).
      • Failure detection mechanism—To establish a preferred primary and secondary path, you use NSRP priorities, with preemption. You can use one of the following NSRP methods to detect failure along the network path:

        • Layer 2 path monitoring functions by checking that the physical ports are active and connected to other network devices. When you configured the redundant paths for the firewall deployment, you configured NSRP to monitor the status of its own interfaces and the devices to which those interfaces are connected. The interface monitoring feature can detect a down state of a connected IDP Series interface.

          The firewall decides to failover to the redundant path only when all interfaces in the monitored zone are down. Therefore, in deployments where you have multiple interfaces connected, we recommend that you enable interface signaling on the IDP Series device.

        • Layer 3 path monitoring, or IP tracking, functions by sending ping or ARP requests to up to 16 specified IP addresses at user-determined intervals and then monitoring if the targets respond. If you have not done so already, configure the firewall to use Track IP to monitor connection failure between itself and a list of Track IP hosts. The Track IP features sends ARP and ping traffic to the target hosts. If the value of the Track IP failure exceeds the user-specified threshold, the firewall decides the path is unavailable and initiates failover to the redundant path. Configure Track IP targets on the other side of the IDP Series device. When the IDP Series device is down, the ARP or ping traffic will fail, signaling to the firewall that the path is unavailable.

          When the configured Track IP failure threshold is reached, the firewall initiates failover. All sessions (old sessions initiated before the failover and new sessions initiated after the failover) are forced to the other path.

          Due to a hardware limitation, you cannot use interface signaling for an IDP8200 with 10 gigabyte fiber interfaces. In those deployments, use NSRP Layer 3 path monitoring.

          For information about NSRP features, see the ScreenOS Concepts and Examples Guide volume on high availability PDF Document. For NSRP troubleshooting information, see the Juniper Networks Knowledge Base.

    2. Set up and configure the IDP Series devices. Note the following requirements.

      Table 1: IDP Series Configuration Guidelines

      Component

      Guideline

      IDP Series device hardware

      Use a cross-over cable to connect one device HA port to the other HA port.

      State sync

      Use ACM to enable Third-Party HA and assign each device an identifier.

      Figure 2: ACM Third-Party HA Pages

      Image s036850.gif

      Cluster

      In NSM, create a cluster object and then add the IDP Series devices to NSM as cluster members. Whenever you push updates (such as OS version updates, detector engine updates, or security policy updates), select the cluster object as the target. NSM pushes updates to members in sequence: member A and then member B.

      Figure 3: NSM Device Cluster

      Image s036849.gif

      Note: For third-party high availability deployments, the cluster status displayed in the NSM Realtime Monitor > IDP Cluster Monitor always indicates failure. Disregard this status. You cannot use the NSM Cluster Monitor to display status.

      Interface signaling

      If you use the NSRP Layer 3 Track IP method, do not enable interface signaling.

      If you use NSRP Layer 2 path monitoring, enable interface signaling on the IDP Series devices. In the user_funcs file, change the value of the ha_interface_signal setting to 1, as highlighted in the following example:

       #########################################################################
      #                             VARIABLES
      #########################################################################
      
      [...]
      #Enable or disable interface based third-party HA signaling
      
      #Enable or disable interface based third-party HA signaling
      #Setting this variable to 1,indicated that interface based
      #HA signaling should be used, and setting it to 1 indicates
      #to block STP and similar kind of traffic to enable traffic
      #switch-over by third-party HA devices.
      
      export ha_interface_signal=1
      
      # 'max_intf_recv_failed_cnt_nicbypass' - The maximum count value for any
      # data interface indicating the number of times the packet could not
      # be received by that interface. If the count for any interface reaches
      # this value nicBypass gets triggered.
      #  **WARNING**: Changing the value would require running 'idp.sh restart'.
      
      export max_intf_recv_failed_cnt_nicbypass=18
      
      # Define SCIO
      SCIO=/usr/idp/device/bin/scio
      

      Layer 2 Bypass

      Use ACM to enable Layer 2 bypass.

      Peer port modulation

      Do not enable.

    3. On the IDP Series device, you can use the synchronization details in sctop flow tables and the device log files to verify and troubleshoot the HA deployment. Logs related to HA communication are written locally to /var/idp/device/sysinfo/logs/hasignal.log.

    Published: 2011-02-08