High Accessibility With an Active and Passive Cluster Using Link Aggregation

High availability (HA) Cluster systems are designed to ensure uninterrupted service by preventing accessibility from being blocked due to problems that may arise at a single point. The uninterrupted operation of very important services offered in a network is the primary purpose.

When a server running within the HA Cluster structure encounters any software or hardware errors, passive server is held and another server capable of providing the services provided by the principal server takes over. The service continues uninterrupted while the Master server is correcting the error. This working principle is called failover.

Antikor v2 Firewalls control each other by sending control messages over the network at intervals that we can specify. Task switching occurs between two firewalls when control messages cannot be transmitted due to an error.

The events that initiate the switching task are:

  • If there is no access to one or more specified targets through the Active firewall;
  • If the Active firewall does not respond to the control messages;
  • If there is an error in the path monitoring route or critical software components on the Active firewall.

Network Topology

image

Common Configurations to Be Made on Both Servers

  • Network Configuration is entered on the Ethernet Assignment page in the menu.

image

  • It should be checked that the ethernet interfaces to be synchronized in the cluster are in the Active state of the Cluster Membership.

image

image

  • Virtual Ethernet - Link Aggregation page is entered in the Network Configuration menu.

image

image

  • In both servers, two ports are combined and save as LACP.

image

image

  • Definitions are applied by clicking the Apply Definitions button.

image

image

Configurations that Will be Made on the Device where the Beginning Job Will be Active

  • Entered Management Panel Settings page from Management Panel Settings menu.

image

image

  • From the Service Settings tab The Independent Management Infrastructure is activated and the management IP address is given. In this configuration example, the IP address for the device that will be active in the startup task is set to 10.2.1.91.(After applying cluster synchronization, independent management was used, since the WAN IP addresses of the two devices will be the same.)

image

  • After entering the settings, the Save button is clicked.
  • Definitions are applied by clicking the Apply Definitions button.

image

image

  • Entered Cluster Settings page from System Settings menu.

image

image

  • In Operation Mode settings, after Working Mode is set to Active-Passive, Beginning Job is marked as Active.
  • Keepalive Packet Send Frequency (default 100ms) and Keepalive Packet Receive Timeout (default 400ms) are left at default values.

image

  • In Sync Settings, Delegate job if other device is healthy and Sync Changes From Management are set to Passive.

  • Connection States Sync and Update Package Sync are set to Active.

image

  • In Ethernet Settings, the ethernet interface to be synchronized is selected.

  • The IP address of the Ethernet to be synchronized and the Cluster IP address of the opposite device are written. (The IP address to be entered here does not need to be added to the IP pools.)

image

Note: The IP addresses to be given to the two devices must be from the same IP block. For example, if the synchronization IP address of this server is 10.10.105.11/24, the IP address of the other server is different from the opposite server, but is located on the same IP block 10.10.105.12/24 is given.

  • The VHID value entered in the Handshake Settings must be the same as the device opposite. If there is another device running VRRP on the network (such as a switch, router), there may be a VHID conflict. For this reason, VHIDS on other devices or devices should be known and given a different value than them.

  • The Predefined Key must be the same as the device opposite.

  • The Other Device License Key is entered in the section of the License key of the opposite device.

image

  • Click the Save button.

image

  • Definitions are applied by clicking the Apply Definitions button.

image

image

Configurations that Will be Performed on the Device whose Beginning Job Will Be Passive

  • Entered Management Panel Settings page from Management Panel Settings menu.

image

image

  • Management IP address is given by activating Independent Management Infrastructure from Service Settings tab. In this configuration example, the IP address for the device whose initial task will be passive is set to 10.2.1.92. (Independent management is used since the WAN IP addresses of the two devices will be the same after cluster synchronization is applied.)

image

  • After entering the settings, the Save button is clicked.
  • Definitions are applied by clicking the Apply Definitions button.

image

image

  • Entered Cluster Settings page from System Settings menu.

image

image

  • In Operation Mode settings, after Working Mode is set to Active-Passive, Beginning Job is marked as Active.

  • Keepalive Packet Send Frequency (default 100ms) and Keepalive Packet Receive Timeout (default 400ms) are left at default values.

image

  • In Sync Settings, Delegate job if other device is healthy and Sync Changes From Management are set to Passive.

  • Connection States Sync and Update Package Sync are set to Active.

image

  • In Ethernet Settings, the ethernet interface to be synchronized is selected.

  • The IP address of the Ethernet to be synchronized and the Cluster IP address of the opposite device are written. (The IP address to be entered here does not need to be added to the IP pools.)

image

Note: The IP addresses to be given to the two devices must be from the same IP block. For example, if the synchronization IP address of this server is 10.10.105.12/24, the IP address of the other server is different from the opposite server, but is located on the same IP block 10.10.105.11/24 is given.

  • The VHID value entered in the Handshake Settings must be the same as the device opposite. If there is another device running VRRP on the network (such as a switch, router), there may be a VHID conflict. For this reason, VHIDS on other devices or devices should be known and given a different value than them.

  • The Predefined Key must be the same as the device opposite.

  • The Other Device License Key is entered in the section of the License key of the opposite device.

image

  • Click the Save button.

image

  • Definitions are applied by clicking the Apply Definitions button.

image

image

  • After applied the definitions, the connection is tested with the Verify License Key of Other Device button. It appears to be successful. In case of failure, the license key and connection between the two servers should be checked.

image

image

Note: If you want the settings to be the same on both devices; Active device Cluster Status on the Dashboard when the `Resynchronize’ button is clicked on the tab, all the settings of the active device will be pressed on the Passive device.

image

Testing and Controls

  • The Cluster Status on the Dashboard should indicate that it is Online to the Passive device if the device status is Active. If it does not write, the cluster settings and physical connections should be checked.

image

  • The Cluster Status on the dashboard should say Online for the Active device if the device status is Passive. If it does not write, the cluster settings and physical connections should be checked.

image

Back PDF

ePati Cyber Security Co.

Mersin Üniversitesi Çiftlikköy Kampüsü
Teknopark İdari Binası Kat:4 No: 411
Posta Kodu: 33343
Yenişehir / Mersin / TURKEY

Web: www.epati.com.tr
e-Mail: info@epati.com.tr
Tel: +90 324 361 02 33
Fax: +90 324 361 02 39