High Availability Fast-path conntrack

High Availability fast path conntrack enables synchronizing fast path conntracks used by CG-NAT and fast path Firewall between two HA nodes in active/backup mode.

The conntrack entries are synchronized between the HA nodes by using dedicated connections. If the synchronization connections go down, a complete resynchronization will occur when the connections are reestablished.

Note

  • The synchronization messages are distributed evenly among a number of synchronization connections per peer, which is determined by the number of event threads. (/ system fast-path limits cg-nat nb-event-threads).

  • It is recommanded to establish the synchronization connection on a non fast path port, as connections may be blocked by the fast path firewall.

The HA state of a node can be statically configured using CLI/netconf or dynamically using the VRRP service.

../../../_images/ha-sample.svg

In this example, conntracks from the main VRF are synchronized between ha1 to ha2 as time goes along, and used in ha2’s dataplane when ha2 becomes master.

HA fast path conntrack parameters are configured per VRF in the ha-fp-conntrack context:

ha1 running config# vrf main ha-fp-conntrack
ha1 running ha-fp-conntrack#!

Configure mandatory options in ha1:

ha1 running ha-fp-conntrack#! peer peer1 source 10.150.0.1 address 10.150.0.2
ha1 running ha-fp-conntrack#! listen-ha-group ha-group1

  • peer corresponds to a remote HA node, the synchronization link connection is established using IPv4 or IPv6 with the source and address parameters.

  • listen-ha-group is the high-availability group that controls the activity state of this HA node. See High-availability Groups for more information.

Display ha1 HA fast path conntrack state:

ha1 running ha-fp-conntrack# show state
ha-fp-conntrack
    enabled true
    listen-ha-group ha_group
    peer peer1
        source 10.150.0.1
        address 10.150.0.2
        ..
    ..

Display ha1 HA synchronization connections state and statistics:

ha1> show ha-fp-conntrack peer vrf main
show-ha-fp-conntrack-peer
    peer peer1
        source 10.150.0.1
        address 10.150.0.2
        client npf_event0
            statistics
                transmit 0
                transmit-error 0
                build-error 0
                ..
            connection-status established
            ..
        client npf_event1
            statistics
                transmit 1
                transmit-error 0
                build-error 0
                ..
            connection-status established
            ..
        ..
    local-node 10.150.0.1
        statistics
            receive 0
            receive-error 0
            ..
        ..
    ..

On ha2, the peer must be adjusted:

ha2 running config# vrf main ha-fp-conntrack
ha2 running ha-fp-conntrack#! peer peer1 source 10.150.0.2 address 10.150.0.1
ha2 running ha-fp-conntrack#! listen-ha-group ha-group1

Warning

There is currently no configuration synchronization between nodes, but all nodes must share the same CG-NAT and fast path Firewall configuration. Be careful to maintain the same configuration between nodes. Failing to do so may lead to unexpected behaviors.

Warning

When HA is enabled in a VRF, all conntracks of this VRF are synchronized on the remote peer. All of them will be managed by the other node in case of failover, and traffic matching these conntracks will be blocked on the backup node. User must ensure that all conntracks of the VRF are meaningful on all peers. If some tracking is needed on connections local to a peer, it must be done in another VRF.