Group of two devices instructed to work as a single entity. Every HA cluster has one primary device and one auxiliary device. The primary device controls how the cluster operates. The roles that the primary and auxiliary devices play in the cluster depend on the configuration mode.
HA active-passive configuration mode
An HA cluster consists of a primary device and an auxiliary device. In this mode, only the primary device processes traffic while the auxiliary device remains in stand-by mode, ready to take over if a primary device failure occurs.
HA active-active configuration mode
An HA cluster consists of a primary device and an auxiliary device. In this mode, both devices process traffic, and the primary device load-balances the traffic. The decision to load-balance the traffic is made by the primary device. The auxiliary device can take over this function if the primary fails.
In an active-active cluster, the primary device receives all network traffic and acts as load balancer to redirect traffic to the auxiliary device. The primary device also tracks the status of all cluster devices. In an active-passive cluster, the primary device processes the network traffic while the auxiliary device does not process any traffic but remains ready to take over if the primary device fails.
In an active-active cluster, the auxiliary device processes the network traffic assigned to it by the primary device. If the primary device fails, the auxiliary device becomes the primary device. In an active-passive cluster, the auxiliary device does not process network traffic and is in stand-by. It becomes active only when the primary device is not available to process the traffic.
Dedicated HA link port
Dedicated HA link is a direct physical link between the devices participating in HA cluster.
The ability of HA cluster of balancing the traffic between nodes in the HA cluster.
Set of interfaces that are selected to be monitored. Each device monitors its own selected interface(s) and if any of them goes down, the device removes itself from the cluster and a failover occurs.
It is a MAC address associated with the HA cluster. This address is sent in response when any of the machines make an ARP request to HA cluster. It is not the actual MAC address and is not assigned to any interface of any unit in the cluster.
The primary device owns the MAC address and is used for routing network traffic. All external clients use this address to communicate with the HA cluster. In case of failover, the new primary device will have the same MAC address as the failed primary device. The cluster device which has a virtual MAC address acts as a primary device.
In active-active mode, the device that receives all traffic and performs load-balancing is said to be in primary state. A device can be in primary state only when the other device is in auxiliary state.
In active-passive mode, the device in charge of processing all the traffic is said to be in the primary state.
In active-active mode, the device that receives the traffic from the primary device is said to be in auxiliary state. A device can be in auxiliary state only when the other device is in primary state.
In active-passive mode, the device that is not processing the traffic is in auxiliary state. A device can be in auxiliary state only when the other device is in primary state.
A device is said to be in standalone state when it is able to process traffic and when the other device is unable to process traffic (for example, if it is in a fault state or inoperative).
A device is in fault state when it cannot process network traffic if a device or link fails.
Once the HA cluster is configured, cluster devices are termed as peers i.e. for the primary device, the auxiliary device is its peer device and vice versa.
The process of sharing the various cluster configuration, between cluster devices (HA peers). Reports generated are not synchronized.
Link uptime (3 seconds)
Time taken by the dedicated link or monitored port to come up.
Heartbeat (keep-alive) interval (250 milliseconds)
Interval between heartbeat packet exchange by HA peers to confirm that the cluster is functioning.
If an device does not receive any communication within the predetermined period of time from the HA peer, the peer device is considered to have failed. This process is termed as device failover as when this occurs, the peer device is taken over.
Device failover detection time (peer timeout) (4 seconds)
When the primary device stops sending Heartbeat packets, it is declared dead at the end of four seconds (250 milliseconds x 16 timeouts).
The peer is considered active if a Heartbeat is received within 14 timeouts.
A failover is triggered seven seconds after the cluster has come up (3-second link uptime + 4-second device failover detection time). You can’t change the failover threshold.
Both the device in an HA cluster continuously monitor the dedicated HA link and the interfaces configured to be monitored. If any of them fails it is called link failure.
Whether it is a device or link failover, session failover occurs for forwarded TCP traffic except for the virus scanned sessions that are in progress, VPN sessions, UDP, ICMP, multicast, and broadcast sessions and proxy traffic.
Device normally maintains session information for TCP traffic which is not passing through proxy service. Hence, in case of failover, the device which takes over will take care of all the sessions (TCP session not passing through proxy application). The entire process is transparent for the end users.