Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall

In mission-critical data centers, you may want both Layer 3 HA firewalls to participate in path monitoring so that they can detect path failures upstream from both firewalls. Additionally, you prefer to control if and when the floating IP address returns to the recovered firewall after it comes back up, rather than the floating IP address returning to the device ID to which it is bound. (That default behavior is described in Floating IP Address and Virtual MAC Address.)
In this use case, you control when the floating IP address and therefore the active-primary role move back to a recovered HA peer. The active/active HA firewalls share a single floating IP address that you bind to whichever firewall is in the active-primary state. With only one floating IP address, network traffic flows predominantly to a single firewall, so this active/active deployment functions like an active/passive deployment.
In this use case, Cisco Nexus 7010 switches with virtual PortChannels (vPCs) operating in Layer 3 connect to the firewalls. You must configure the Layer 3 switches (router peers) north and south of the firewalls with a route preference to the floating IP address. That is, you must design your network so the route tables of the router peers have the best path to the floating IP address. This example uses static routes with the proper metrics so that the route to the floating IP address uses a lower metric (the route to the floating IP address is preferred) and receives the traffic. An alternative to using static routes would be to design the network to redistribute the floating IP address into the OSPF routing protocol (if you are using OSPF).
The following topology illustrates the floating IP address bound to the active-primary firewall, which is initially Peer A, the firewall on the left.
HA_bind_fip_to_primary.png
Upon a failover, when the active-primary firewall (Peer A) goes down and the active-secondary firewall (Peer B) takes over as the active-primary peer, the floating IP address moves to Peer B (shown in the following figure). Peer B remains the active-primary firewall and traffic continues to go to Peer B, even when Peer A recovers and becomes the active-secondary firewall. You decide if and when to make Peer A the active-primary firewall again.
HA_bind_fip_to_primary_failover.png
Binding the floating IP address to the active-primary firewall provides you with more control over how the firewalls determine floating IP address ownership as they move between various HA Firewall States. The following advantages result:
  • You can have an active/active HA configuration for path monitoring out of both firewalls, but have the firewalls function like an active/passive HA configuration because traffic directed to the floating IP address always goes to the active-primary firewall.
When you disable preemption on both firewalls, you have the following additional benefits:
  • The floating IP address does not move back and forth between HA firewalls if the active-secondary firewall flaps up and down.
  • You can review the functionality of the recovered firewall and the adjacent components before manually directing traffic to it again, which you can do at a convenient down time.
  • You have control over which firewall owns the floating IP address so that you keep all flows of new and existing sessions on the active-primary firewall, thereby minimizing traffic on the HA3 link.
  • We strongly recommended you configure HA link monitoring on the interface(s) that support the floating IP address(es) to allow each HA peer to quickly detect a link failure and fail over to its peer. Both HA peers must have link monitoring for it to function.
  • We strongly recommend you configure HA path monitoring to notify each HA peer when a path has failed so a firewall can fail over to its peer. Because the floating IP address is always bound to the active-primary firewall, the firewall cannot automatically fail over to the peer when a path goes down and path monitoring is not enabled.
You cannot configure NAT for a floating IP address that is bound to an active-primary firewall.
  1. Perform Step 1 through Step 5 of Configure Active/Active HA.
  2. (
    Optional
    ) Disable preemption.
    Disabling preemption allows you full control over when the recovered firewall becomes the active-primary firewall.
    1. In
      Device
      High Availability
      General
      , edit the Election Settings.
    2. Clear
      Preemptive
      if it is enabled.
    3. Click
      OK
      .
  3. Perform Step 7 through Step 14 of Configure Active/Active HA.
    1. In
      Device
      High Availability
      Active/Active Config
      , edit Packet Forwarding.
    2. For
      Session Owner Selection
      , we recommend you select
      Primary Device
      . The firewall that is in active-primary state is the session owner.
      Alternatively, for
      Session Owner Selection
      you can select
      First Packet
      and then for
      Session Setup
      , select
      Primary Device
      or
      First Packet
      .
    3. For
      Session Setup
      , select
      Primary Device
      —The active-primary firewall sets up all sessions. This is the recommended setting if you want your active/active configuration to behave like an active/passive configuration because it keeps all activity on the active-primary firewall.
      You must also engineer your network to eliminate the possibility of asymmetric traffic going to the HA pair. If you don’t do so and traffic goes to the active-secondary firewall, setting
      Session Owner Selection
      and
      Session Setup
      to
      Primary Device
      causes the traffic to traverse HA3 to get to the active-primary firewall for session ownership and session setup.
    4. Click
      OK
      .
  4. Configure an HA virtual address.
    1. Select
      Device
      High Availability
      Active/Active Config
      Virtual Address
      and click
      Add
      .
    2. Enter or select an
      Interface
      .
    3. Select the
      IPv4
      or
      IPv6
      tab and
      Add
      an
      IPv4 Address
      or
      IPv6 Address
      .
    4. For
      Type
      , select
      Floating
      , which configures the virtual IP address to be a floating IP address.
    5. Click
      OK
      .
  5. Bind the floating IP address to the active-primary firewall.
    1. Select
      Floating IP bound to the Active-Primary device
      .
    2. Select
      Failover address if link state is down
      to cause the firewall to use the failover address when the link state on the interface is down.
    3. Click
      OK
      .
  6. Commit
    the configuration.
  7. Configure the peer firewall in the same way, except selecting a different Device ID.
    For example, if you selected Device ID
    0
    for the first firewall, select Device ID
    1
    for the peer firewall.

Related Documentation