Amer Networks E5Web GUI User Manual

longer operational.

Interconnection of Cluster Units

In a cluster, the master and slave units must be directly connected to each other by a
synchronization connection which is known to cOS Core as the sync interface. One of the normal
interfaces on the master and the slave are dedicated for this purpose and are connected
together with a crossover cable.

Special packets, known as heartbeats, are continually sent by cOS Core across the sync interface
and all other interfaces from one unit to the other. These packets allow the health of both units
to be monitored. Heartbeat packets are sent in both directions so that the passive unit knows
about the health of the active unit and the active unit knows about the health of the passive.

The heartbeat mechanism is discussed below with more detail in Section 11.2, “HA Mechanisms”.

Cluster Management

An HA Cluster of two Clavister Security Gateways can be managed as a single unit with a unique
cluster name through InControl. It will appear in the InControl management interface as a single
logical Clavister Security Gateway. Administration operations such as changing rules in the IP
rule set are carried out as normal with the changes automatically being made to the
configurations of both the master and the slave.

When managing the cluster through the Web Interface or CLI, administration is done on one unit
in the cluster at a time. Configuration changes are not automatically duplicated between the
cluster peers.

Load-sharing

Clavister HA clusters do not provide load-sharing since only one unit will be active while the
other is inactive and only two Clavister Security Gateways, the master and the slave, can exist in a
single cluster. The only processing role that the inactive unit plays is to replicate the state of the
active unit and to take over all traffic processing if it detects the active unit is not responding.

Hardware Duplication

Clavister HA will only operate between two Clavister Security Gateways. As the internal operation
of different security gateway manufacturer's software is completely dissimilar, there is no
common method available to communicating state information to a dissimilar device.

It is also strongly recommended that the Clavister Security Gateways used in cluster have
identical configurations. They must also have identical licenses which allow identical capabilities
including the ability to run in an HA cluster.

Extending Redundancy

Implementing an HA Cluster will eliminate one of the points of failure in a network. Routers,
switches and Internet connections can remain as potential points of failure and redundancy for
these should also be considered.

Protecting Against Network Failures Using HA and Link Monitor

The cOS Core Link Monitor feature can be used to check connection with a host so that when it is
no longer reachable an HA failover is initiated to a peer which has a different connection to the
host. This technique is a useful extension to normal HA usage which provides protection against

Chapter 11: High Availability

700