topic Re: Virtual IP address in HA- Active Passive Mode in General Topics

Virtual IP address in HA- Active Passive Mode

nsrini1991 — Mon, 30 Jul 2018 22:42:59 GMT

Hi Experts,

I've query about High Availability Active-Passive. As we know, interface IP addresses are same on both the firewalls and when Active device goes down, secondary firewall will take over by sending gratuitous arp to switches. So switches can learn about the new Mac addresses and traffic start forwarding. But this causes a blip in network traffic forwarding .

Is there any way we can configure floating IP address/ Virtual IP address for each interfaces in Active-Passive mode like HSRP , so traffic can be forwarded without any interruption or this is supported only in Active-Active mode. Please assist.

Re: Virtual IP address in HA- Active Passive Mode

fjwcash — Fri, 10 Aug 2018 19:59:36 GMT

I forget the name of the option, but in the High Availability settings is a fast switchover option that can be enabled.

The default has the interfaces on the passive firewall marked as "down" so there's no link with the switch. When a fail-over occurs, the interfaces are marked as "up", they negotiate a link with the switch, then do all the ARP stuff. There's about a 2 second pause in traffic while this happens.

With the fast switchover enabled, the interfaces on the passive device are "up", there's a link with the switch, but the firewall drops all traffic on those ports. When a fail-over occurs, it just does the ARP stuff and there's only a 200-400 ms blip where only a few individual packets should be lost (if even that many).

Edit: fixed spelling and typos due to using a phone for the original post.

Re: Virtual IP address in HA- Active Passive Mode

BPry — Tue, 31 Jul 2018 14:07:07 GMT

@fjwcash,

On the HA settings under 'Active/Passive Settings' you can set the 'Passive Link State' to either Shutdown or Auto. By default this will be set to "Shutdown", in this state upstream and downstream devices will not see a valid path until the passive becomes active.

Auto will bring the interfaces on the firewall into a 'link up' state, but blocks all inbound and outbound traffic to the interfaces until the firewall becomes active. This eliminates a lot of the the failover time. The device in passive sate will not forward traffic or respond to ARP requests until the device is active.

Either option is pretty save regardless of which one you select, but there are a few things to keep in mind when setting things to Auto. Layer 3 depoloyments you obviously have the advantage of GARPs (2 immediately then 8*1sec) that will update the MAC tables.

Layer2 deplolyments you need to keep RSTP in mind. You'll want to enable RSTP on all switch interfaces that connect to the firewall (layer2 interfaces) to prevent any loops between the firewall HA members.