High Availability conntrack

High Availability conntrack enables synchronizing conntracks between two or more HA nodes in master/backup mode.

It maintains an internal cache (reflecting the conntracks in the dataplane) and an external cache (conntracks advertised by the other HA node). The content of the caches is used only when the system changes HA states:

  • when switching to master, these 4 steps are executed:

    • commit the external cache into the dataplane

    • flush the internal and the external caches

    • resynchronize the internal cache to the dataplane

    • then send a bulk update to backups

  • when switching to backup:

    • shorten dataplane conntrack timers to remove the zombie entries

    • request resynchronization with master firewall replica (if any)

The activity of a node can be controlled by CLI commands or by external applications (such as the VRRP service).

../../../_images/ha-sample.svg

In this example, conntracks are synchronized from ha1 to ha2 external table as time goes along, and configured in ha2’s dataplane when ha2 becomes master.

HA conntrack parameters are configured per VRF in the ha-conntrack context:

ha1 running config# vrf main ha-conntrack
ha1 running ha-conntrack#!

Configure mandatory options in ha1:

ha1 running ha-conntrack#! interface eth3
ha1 running ha-conntrack#! local-address 10.150.0.1
ha1 running ha-conntrack#! listen-ha-group ha-group1
ha1 running ha-conntrack#
  • interface is the interface to use to send the synchronization messages.

  • local-address is the IPv4 or IPv6 addresses of the interface used for the synchronization.

  • listen-ha-group is the high-availability group that controls the activity state of this HA node. See High-availability Groups for more information.

Note

Protocols and IP addresses events can also be filtered respectively through protocol-list and address-list options. This filter can be an include or exclude logic depending on the accept true|false option value. See the HA conntrack command reference for details.

Display ha1 HA conntrack state:

ha1 running ha-conntrack# show state
ha-conntrack
    enabled true
    local-address 10.150.0.1
    listen-ha-group ha-group1
    interface eth3
    state master
    ..

On ha2, the interface and the local-address must be adjusted:

ha2 running config# vrf main ha-neighbor
ha2 running ha-conntrack#! interface eth3
ha2 running ha-conntrack#! local-address 10.150.0.2
ha2 running ha-conntrack#! listen-ha-group ha-group1
ha2 running ha-conntrack#

Display ha2 HA conntrack state:

ha2 running ha-conntrack# show state
ha-conntrack
    enabled true
    local-address 10.150.0.2
    listen-ha-group ha-group1
    interface eth3
    state backup
    ..