beautypg.com

Ha issues – Amer Networks E5Web GUI User Manual

Page 712

background image

11.4. HA Issues

The following points should be kept in mind when managing and configuring an HA Cluster.

VPN Tunnel Synchronization

cOS Core provides complete synchronization for IPsec tunnels in an HA cluster. In the event of a
failover occurring, incoming clients should not need to re-establish their tunnels.

However, cOS Core does not provide synchronization support for the following:

PPP

L2TP

L2TPv3

SSL VPN

In the event of a failover occurring for these types of tunnel, incoming clients must re-establish
their tunnels after the original tunnels are deemed non-functional. This timeout for this can vary
according to the scenario but can be as long as 30 seconds.

DHCP

Servers for IPv4 DHCP as well as DHCPv6 have full HA synchronization support. However, the
clients for both IPv4 DHCP and DHCPv6 are not supported.

Real-time Monitoring

The Real-time Monitor will not automatically track the active Clavister Security Gateway. If a
Real-time Monitor graph shows nothing but the connection count moving, then the cluster has
probably failed over to the other unit.

All Cluster Interfaces Need IP Addresses

All interfaces on both HA cluster units should have a valid private IP4 address object assigned to
them. The predefined IP object local host could be assigned for this purpose. The need to assign
an address is true even if an interface has been disabled.

SNMP

SNMP statistics are not shared between master and slave. SNMP managers have no failover
capabilities. Therefore both security gateways in a cluster need to be polled separately.

Logging

Log data will be coming from both master and slave. This means that the log receiver will have to
be configured to receive logs from both. It also means that all log queries will likely have to
include both master and slave as sources which will give all the log data in one result view.
Normally, the inactive unit will not be sending log entries about live traffic so the output should
look similar to that from one Clavister Security Gateway.

Using Individual IP Addresses

Chapter 11: High Availability

712

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: