links to external devices are renegotiated.
•
In an HA cluster setup, the link from the master to the external Internet (or other part of a
network) can be continually monitored so that should the link fail, the slave will take over
(assuming that the slave has a different physical connection to the monitored address). The
action chosen for HA should be either 2. Failover or 3. Failover and reconfigure.
If the first action option 1. Reconfigure is chosen in an HA cluster, then the reconfigure will
also cause a failover since it will temporarily suspend the master's operation while the
reconfigure takes place and the slave will take over when it detects this inactivity. If
reconfiguration with failover is desirable it is better to select the option 3. Failover and
reconfigure since this performs the failover first and is nearly instantaneous with almost no
traffic interruption. Reconfiguration first is slower and results in some traffic interruption.
To preserve all tunnels in a VPN scenario, it is best to choose the 2. Failover option since a
reconfiguration can cause some tunnels to be lost.
Link Monitoring with HA Clusters
The most common use for link monitoring is in the HA cluster scenario described above. It is
important that the master and slave do not duplicate the same condition that triggered the link
monitor. For example, if a particular router connected to the master NetDefend Firewall was being
"pinged" by link monitoring, the slave should not also be connected to that router. If it is, the
continued triggering of a reconfiguration by the link monitor will then cause the slave to failover
back to the master, which will then failover back to the slave again and so on.
If it is important to not allow a failover during reconfiguration of the active unit in an HA cluster
then the advanced setting Reconf Failover Time should be set to a value which is neither too low or
too high.
Reconf Failover Time controls how long the inactive unit will wait for the active unit to
reconfigure before taking over. Setting this value too low will mean the inactive unit does not wait
long enough. Setting the value too high could mean significant downtime if the active unit fails
during reconfiguration and the inactive unit needs to take over.
More information on clusters can be found in Chapter 11, High Availability.
Link Monitoring Parameters
The Link Monitor takes the following parameters:
Action
Specifies
which
of
the
3
actions
described
above
NetDefendOS should take.
Addresses
Specifies a group of hosts to monitor. If at least half of them
do not respond, NetDefendOS assumes that there is a link
problem. A host's responses are ignored until NetDefendOS
has been able to reach it at least once. This means that an
unreachable host can be responsible for triggering an action
once but not twice.
A group of three hosts where one has been unreachable since
the last configuration will therefore be treated as a two-host
group until the third host becomes reachable. This also means
that if a link problem triggers an action and the problem is not
solved, NetDefendOS will not attempt to repeat the same
action until the problem is solved and the hosts are again
reachable.
2.4.1. The Link Monitor
Chapter 2. Management and Maintenance
73
Содержание NetDefend DFL-1660
Страница 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Страница 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Страница 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Страница 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Страница 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Страница 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Страница 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Страница 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Страница 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Страница 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Страница 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Страница 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Страница 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Страница 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...