Use Case: Configure Active/Active HA with Floating IP Address
Bound to Active-Primary Firewall
In mission-critical data centers, you may want both Layer 3 HA firewalls to participate in path monitoring so that they can detect path failures upstream from both firewalls. Additionally, you prefer to control if and when the floating IP address returns to the recovered firewall after it comes back up, rather than the floating IP address returning to the device ID to which it is bound. (That default behavior is described in Floating IP Address and Virtual MAC Address.)
In this use case, you control when the floating IP address and therefore the active-primary role move back to a recovered HA peer. The active/active HA firewalls share a single floating IP address that you bind to whichever firewall is in the active-primary state. With only one floating IP address, network traffic flows predominantly to a single firewall, so this active/active deployment functions like an active/passive deployment.
In this use case, Cisco Nexus 7010 switches with virtual PortChannels (vPCs) operating in Layer 3 connect to the firewalls. You must configure the Layer 3 switches (router peers) north and south of the firewalls with a route preference to the floating IP address. That is, you must design your network so the route tables of the router peers have the best path to the floating IP address. This example uses static routes with the proper metrics so that the route to the floating IP address uses a lower metric (the route to the floating IP address is preferred) and receives the traffic. An alternative to using static routes would be to design the network to redistribute the floating IP address into the OSPF routing protocol (if you are using OSPF).
The following topology illustrates the floating IP address bound to the active-primary firewall, which is initially Peer A, the firewall on the left.
Upon a failover, when the active-primary firewall (Peer A) goes down and the active-secondary firewall (Peer B) takes over as the active-primary peer, the floating IP address moves to Peer B (shown in the following figure). Peer B remains the active-primary firewall and traffic continues to go to Peer B, even when Peer A recovers and becomes the active-secondary firewall. You decide if and when to make Peer A the active-primary firewall again.
Binding the floating IP address to the active-primary firewall provides you with more control over how the firewalls determine floating IP address ownership as they move between various HA Firewall States. The following advantages result:
- You can have an active/active HA configuration for path monitoring out of both firewalls, but have the firewalls function like an active/passive HA configuration because traffic directed to the floating IP address always goes to the active-primary firewall.
When you disable preemption on both firewalls, you have the following additional benefits:
- The floating IP address does not move back and forth between HA firewalls if the active-secondary firewall flaps up and down.
- You can review the functionality of the recovered firewall and the adjacent components before manually directing traffic to it again, which you can do at a convenient down time.
- You have control over which firewall owns the floating IP address so that you keep all flows of new and existing sessions on the active-primary firewall, thereby minimizing traffic on the HA3 link.
- We strongly recommended you configure HA link monitoring on the interface(s) that support the floating IP address(es) to allow each HA peer to quickly detect a link failure and fail over to its peer. Both HA peers must have link monitoring for it to function.
- We strongly recommend you configure HA path monitoring to notify each HA peer when a path has failed so a firewall can fail over to its peer. Because the floating IP address is always bound to the active-primary firewall, the firewall cannot automatically fail over to the peer when a path goes down and path monitoring is not enabled.
You cannot configure NAT for a floating IP address that is bound to an active-primary firewall.
- (Optional) Disable preemption.Disabling preemption allows you full control over when the recovered firewall becomes the active-primary firewall.
- In, edit the Election Settings.DeviceHigh AvailabilityGeneral
- ClearPreemptiveif it is enabled.
- In, edit Packet Forwarding.DeviceHigh AvailabilityActive/Active Config
- ForSession Owner Selection, we recommend you selectPrimary Device. The firewall that is in active-primary state is the session owner.Alternatively, forSession Owner Selectionyou can selectFirst Packetand then forSession Setup, selectPrimary DeviceorFirst Packet.
- ForSession Setup, selectPrimary Device—The active-primary firewall sets up all sessions. This is the recommended setting if you want your active/active configuration to behave like an active/passive configuration because it keeps all activity on the active-primary firewall.You must also engineer your network to eliminate the possibility of asymmetric traffic going to the HA pair. If you don’t do so and traffic goes to the active-secondary firewall, settingSession Owner SelectionandSession SetuptoPrimary Devicecauses the traffic to traverse HA3 to get to the active-primary firewall for session ownership and session setup.
- Configure an HA virtual address.
- Selectand clickDeviceHigh AvailabilityActive/Active ConfigVirtual AddressAdd.
- Enter or select anInterface.
- Select theIPv4orIPv6tab andAddanIPv4 AddressorIPv6 Address.
- ForType, selectFloating, which configures the virtual IP address to be a floating IP address.
- Bind the floating IP address to the active-primary firewall.
- SelectFloating IP bound to the Active-Primary device.
- SelectFailover address if link state is downto cause the firewall to use the failover address when the link state on the interface is down.
- Committhe configuration.
- Configure the peer firewall in the same way, except selecting a different Device ID.For example, if you selected Device ID0for the first firewall, select Device ID1for the peer firewall.