High Availability conntrack¶
High Availability conntrack enables synchronizing conntracks between two or more HA nodes in master/backup mode.
It maintains an internal cache (reflecting the conntracks in the dataplane) and an external cache (conntracks advertised by the other HA node). The content of the caches is used only when the system changes HA states:
when switching to master, these 4 steps are executed:
commit the external cache into the dataplane
flush the internal and the external caches
resynchronize the internal cache to the dataplane
then send a bulk update to backups
when switching to backup:
shorten dataplane conntrack timers to remove the zombie entries
request resynchronization with master firewall replica (if any)
The HA state of a node can be statically configured using CLI/netconf or dynamically using the VRRP service.
In this example, conntracks are synchronized from ha1 to ha2 external table as time goes along, and configured in ha2’s dataplane when ha2 becomes master.
HA conntrack parameters are configured per VRF in the ha-conntrack
context:
ha1 running config# vrf main ha-conntrack
ha1 running ha-conntrack#!
Configure mandatory options in ha1:
ha1 running ha-conntrack#! interface eth3
ha1 running ha-conntrack#! local-address 10.150.0.1
ha1 running ha-conntrack#! listen-ha-group ha-group1
ha1 running ha-conntrack#
interface
is the interface to use to send the synchronization messages.local-address
is the IPv4 or IPv6 addresses of the interface used for the synchronization.listen-ha-group
is the high-availability group that controls the activity state of this HA node. See High-availability Groups for more information.
Note
Protocols and IP addresses events can also be filtered respectively through
protocol-list
and address-list
options. This filter can be an include or
exclude logic depending on the accept true|false
option value. See the
HA conntrack command reference for details.
Display ha1 HA conntrack state:
ha1 running ha-conntrack# show state
ha-conntrack
enabled true
local-address 10.150.0.1
listen-ha-group ha-group1
interface eth3
state master
..
On ha2, the interface
and the local-address
must be adjusted:
ha2 running config# vrf main ha-neighbor
ha2 running ha-conntrack#! interface eth3
ha2 running ha-conntrack#! local-address 10.150.0.2
ha2 running ha-conntrack#! listen-ha-group ha-group1
ha2 running ha-conntrack#
Display ha2 HA conntrack state:
ha2 running ha-conntrack# show state
ha-conntrack
enabled true
local-address 10.150.0.2
listen-ha-group ha-group1
interface eth3
state backup
..