11.2. HA Mechanisms
Basic Principles
D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active
unit, such as the connection table and other vital information, is continuously copied to the inactive
unit via the sync interface. When cluster failover occurs, the inactive unit knows which connections
are active, and traffic can continue to flow.
The inactive system detects that the active system is no longer operational when it no longer detects
sufficient Cluster Heartbeats. Heartbeats are sent over the sync interface as well as all other
interfaces. NetDefendOS sends 5 heartbeats per second from the active system and when three
heartbeats are missed (that is to say, after 0.6 seconds) a failover will be initiated. By sending
heartbeats over all interfaces, the inactive unit gets an overall view of the active unit's health. Even
if sync is deliberately disconnected, failover may not result if the inactive unit receives enough
heartbeats from other interfaces via a shared switch, however the sync interface sends twice as many
heartbeats as any of the normal interfaces. The administrator can disable heartbeat sending on any of
the interfaces.
Heartbeats are not sent at smaller intervals because such delays may occur during normal operation.
An operation such as opening a file, could result in delays long enough to cause the inactive system
to go active, even though the other is still active.
Heartbeat Characteristics
Cluster heartbeats have the following characteristics:
•
The source IP is the interface address of the sending firewall.
•
The destination IP is the broadcast address on the sending interface.
•
The IP TTL is always 255. If NetDefendOS receives a cluster heartbeat with any other TTL, it is
assumed that the packet has traversed a router and therefore cannot be trusted.
•
It is a UDP packet, sent from port 999, to port 999.
•
The destination MAC address is the ethernet multicast address corresponding to the shared
hardware address. In other words, 11-00-00-C1-4A-nn. Link-level multicasts are used over
normal unicast packets for security: using unicast packets would mean that a local attacker could
fool switches to route heartbeats somewhere else so the inactive system never receives them.
Failover Time
The time for failover is typically about one second which means that clients may experience a
failover as a slight burst of packet loss. In the case of TCP, the failover time is well within the range
of normal retransmit timeouts so TCP will retransmit the lost packets within a very short space of
time, and continue communication. UDP does not allow retransmission since it is inherently an
unreliable protocol.
Shared IP Addresses and ARP
Both master and slave know about the shared IP address. ARP queries for the shared IP address, or
any other IP address published via the ARP configuration section or through Proxy ARP, are
answered by the active system. The hardware address of the shared IP address and other published
addresses are not related to the actual hardware addresses of the interfaces. Instead the MAC address
is constructed by NetDefendOS from the Cluster ID in the form 10-00-00-C1-4A-nn where nn is
derived by combining the Cluster ID configured in the Advanced Settings section with the hardware
11.2. HA Mechanisms
Chapter 11. High Availability
411
Summary of Contents for DFL-210 - NetDefend - Security Appliance
Page 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24...
Page 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69...
Page 121: ...3 9 DNS Chapter 3 Fundamentals 121...
Page 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181...
Page 192: ...5 5 IP Pools Chapter 5 DHCP Services 192...
Page 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282...
Page 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300...
Page 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301...
Page 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318...
Page 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322...
Page 377: ...Management Interface Failure with VPN Chapter 9 VPN 377...
Page 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408...
Page 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419...
Page 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426...
Page 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449...