topic HA Active/Active design in General Topics

HA Active/Active design

bdaussin — Tue, 03 Jan 2012 15:35:47 GMT

Hi all,

We would like to deploy 2 PAs on two different sites in an Active/active design. The two sites are 10ms far away from each other.

So the first question is : Is 10ms (RTT) acceptable from a PanOS perspective to enable the HA feature ?

The IP plan is not the same on each site. Is it an issue to setup HA active/active in this case ? I've read the documentation, and it seems to be supported if we use the virtual wire implementation case.

Best wishes for this new year.

Thanks for your help.

Regards,

EDIT : I've just found a Tech Note describing the HA/HA.

Regarding the second question, this documentation gives the answer : we can use the Route Based Redundancy, that's fine.

But now, I worry about the load sharing feature. In our case, half of our users are located on site 1 and second half on site 2, So the

load sharind is native by design using some IP routing features.

Regarding, the session owner, it's easy, we can define it as being the device receiving the first packet.

But regarding the session setup, it's not clear : how to ensure that the session setup is the device closest to the user ?

Re: HA Active/Active design

ncampagna — Tue, 03 Jan 2012 18:28:34 GMT

Hello,

We developed A/A HA in order to address high availability in environments with asymmetric routing. In these cases, we expect race conditions with packets arriving at both devices. The session setup operation must be tied to a specific device (chosen by the IP modulo or the hash of certain IP header fields) in order to avoid the scenario where both devices try to create a session. For these reasons, we don't currently support a configuration where the device closest to the users will setup the session. Fortunately, the session setup operation is relatively light. Assuming you select the "first-packet" option for session ownership, your A/A design will be as efficient as possible in a symmetrically routed environment.

Thank you,

Nick Campagna

Product Management

Re: HA Active/Active design

bdaussin — Wed, 04 Jan 2012 03:43:43 GMT

Hello,

Thanks you for your answer Nick

With a symmetrical routing design, If I anderstand well, only the session setup ( first few packets ) will be sent through the HA3 link, so

it should not be so dramatic. Once the session has been established, the PA which owns the session, will be able to analyse and forward

the packet without always sending packets to HA3 link. Am I right ?

In my original question, what about the 10ms RTT between our 2 PAs ?

Thanks for your help

- Benjamin

Re: HA Active/Active design

ncampagna — Wed, 04 Jan 2012 16:19:00 GMT

Hi Benjamin,

Hello,

Thanks you for your answer Nick

With a symmetrical routing design, If I anderstand well, only the session setup ( first few packets ) will be sent through the HA3 link, so

it should not be so dramatic. Once the session has been established, the PA which owns the session, will be able to analyse and forward

the packet without always sending packets to HA3 link. Am I right ?

[NC] You've got it!

In my original question, what about the 10ms RTT between our 2 PAs ?

[NC] You'll have to look at your specific applications and their tolerance for latency. Since this 10ms RTT will typically only affect the session for the first few packets, I don't anticipate any issues.

Thanks for your help

- Benjamin

Thanks,

Nick