Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall

In mission-critical data centers, you may want both Layer 3 HA firewalls to participate in path monitoring so that they can detect path failures upstream from both firewalls. Additionally, you prefer to control if and when the floating IP address returns to the recovered firewall after it comes back up, rather than the floating IP address returning to the device ID to which it is bound. (That default behavior is described in Floating IP Address and Virtual MAC Address.)
In this use case, you control when the floating IP address and therefore the active-primary role move back to a recovered HA peer. The active/active HA firewalls share a single floating IP address that you bind to whichever firewall is in the active-primary state. With only one floating IP address, network traffic flows predominantly to a single firewall, so this active/active deployment functions like an active/passive deployment.
In this use case, Cisco Nexus 7010 switches with virtual PortChannels (vPCs) operating in Layer 3 connect to the firewalls. You must configure the Layer 3 switches (router peers) north and south of the firewalls with a route preference to the floating IP address. That is, you must design your network so the route tables of the router peers have the best path to the floating IP address. This example uses static routes with the proper metrics so that the route to the floating IP address uses a lower metric (the route to the floating IP address is preferred) and receives the traffic. An alternative to using static routes would be to design the network to redistribute the floating IP address into the OSPF routing protocol (if you are using OSPF).
The following topology illustrates the floating IP address bound to the active-primary firewall, which is initially Peer A, the firewall on the left.
Upon a failover, when the active-primary firewall (Peer A) goes down and the active-secondary firewall (Peer B) takes over as the active-primary peer, the floating IP address moves to Peer B (shown in the following figure). Peer B remains the active-primary firewall and traffic continues to go to Peer B, even when Peer A recovers and becomes the active-secondary firewall. You decide if and when to make Peer A the active-primary firewall again.
Binding the floating IP address to the active-primary firewall provides you with more control over how the firewalls determine floating IP address ownership as they move between various HA Firewall States. The following advantages result:
  • You can have an active/active HA configuration for path monitoring out of both firewalls, but have the firewalls function like an active/passive HA configuration because traffic directed to the floating IP address always goes to the active-primary firewall.
When you disable preemption on both firewalls, you have the following additional benefits:
  • The floating IP address does not move back and forth between HA firewalls if the active-secondary firewall flaps up and down.
  • You can review the functionality of the recovered firewall and the adjacent components before manually directing traffic to it again, which you can do at a convenient down time.
  • You have control over which firewall owns the floating IP address so that you keep all flows of new and existing sessions on the active-primary firewall, thereby minimizing traffic on the HA3 link.
  • We strongly recommended you configure HA link monitoring on the interface(s) that support the floating IP address(es) to allow each HA peer to quickly detect a link failure and fail over to its peer. Both HA peers must have link monitoring for it to function.
  • We strongly recommend you configure HA path monitoring to notify each HA peer when a path has failed so a firewall can fail over to its peer. Because the floating IP address is always bound to the active-primary firewall, the firewall cannot automatically fail over to the peer when a path goes down and path monitoring is not enabled.
You cannot configure NAT for a floating IP address that is bound to an active-primary firewall.
  1. Perform Step 1 through Step 5 of Configure Active/Active HA.
  2. (Optional) Disable preemption.
    Disabling preemption allows you full control over when the recovered firewall becomes the active-primary firewall.
    1. In DeviceHigh AvailabilityGeneral, edit the Election Settings.
    2. Clear Preemptive if it is enabled.
    3. Click OK.
  3. Perform Step 7 through Step 14 of Configure Active/Active HA.
  4. Configure Session Owner and Session Setup.
    1. In DeviceHigh AvailabilityActive/Active Config, edit Packet Forwarding.
    2. For Session Owner Selection, we recommend you select Primary Device. The firewall that is in active-primary state is the session owner.
      Alternatively, for Session Owner Selection you can select First Packet and then for Session Setup, select Primary Device or First Packet.
    3. For Session Setup, select Primary Device—The active-primary firewall sets up all sessions. This is the recommended setting if you want your active/active configuration to behave like an active/passive configuration because it keeps all activity on the active-primary firewall.
      You must also engineer your network to eliminate the possibility of asymmetric traffic going to the HA pair. If you don’t do so and traffic goes to the active-secondary firewall, setting Session Owner Selection and Session Setup to Primary Device causes the traffic to traverse HA3 to get to the active-primary firewall for session ownership and session setup.
    4. Click OK.
  5. Configure an HA virtual address.
    1. Select DeviceHigh AvailabilityActive/Active ConfigVirtual Address and click Add.
    2. Enter or select an Interface.
    3. Select the IPv4 or IPv6 tab and Add an IPv4 Address or IPv6 Address.
    4. For Type, select Floating, which configures the virtual IP address to be a floating IP address.
    5. Click OK.
  6. Bind the floating IP address to the active-primary firewall.
    1. Select Floating IP bound to the Active-Primary device.
    2. Select Failover address if link state is down to cause the firewall to use the failover address when the link state on the interface is down.
    3. Click OK.
  7. Enable jumbo frames on firewalls other than PA-7000 Series firewalls.
  8. Commit the configuration.
  9. Configure the peer firewall in the same way, except selecting a different Device ID.
    For example, if you selected Device ID 0 for the first firewall, select Device ID 1 for the peer firewall.

Related Documentation