PHPKB Knowledge Base Software Logo  
Guru Corner
Online Knowledgebase System  
Knowledge Base Home Knowledge Base Home
Home > All Categories > Dell > SonicWALL > How Does Stateful High Availability Work?
Question Title How Does Stateful High Availability Work?

Article Applies To:

Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400MX, NSA 2400, NSA 240
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040.

Firmware versions:  All Gen5 and Gen4 firmware versions (SonicOS Enhanced)
Services:  High Availability.



Stateful High Availability Overview 

Note:
Stateful HA is not supported for connections on which DPI-SSL feature is applied.

What is a Stateful High Availability?

The original version of SonicOS Enhanced provided a basic High Availability feature where a Backup firewall assumes the interface IP addresses of the configured interfaces when the Primary unit fails. Upon failover, layer 2 broadcasts are issued (ARP) to inform the network that the IP addresses are now owned by the Backup unit. All pre-existing network connections must be rebuilt. For example, Telnet and FTP sessions must be re-established and VPN tunnels must be renegotiated. 

Stateful High Availability (SHA) provides dramatically improved failover performance. The Primary and Backup appliances are continuously synchronized so that the Backup can seamlessly assume all network responsibilities if the Primary appliance fails, with no interruptions to existing network connections.  

Stateful High Availability provides the following benefits: 

• Improved reliability - By synchronizing most critical network connection information, Stateful High Availability prevents down time and dropped connections in case of appliance failure. 

Faster failover performance - By maintaining continuous synchronization between the Primary and Backup appliances, Stateful High Availability enables the Backup appliance to take over in case of a failure with virtually no down time or loss of network connections. 

Minimal impact on CPU performance - Typically less than 1% usage.
Minimal impact on bandwidth - Transmission of synchronization data is throttled so as not interfere with other data.

Stateful High Availability is not load-balancing. It is an active-idle configuration where the Primary appliance handles all traffic. When Stateful High Availability is enabled, the Primary appliance actively communicates with the Backup to update most network connection information. As the Primary appliance creates and updates network connection information (VPN tunnels, active users, connection cache entries, etc.), it immediately informs the Backup appliance. This ensures that the Backup appliance is always ready to transition to the Active state without dropping any connections. 

The synchronization traffic is throttled to ensure that it does not interfere with regular network traffic. All configuration changes are performed on the Primary appliance and automatically propagated to the Backup appliance. The High Availability pair uses the same LAN and WAN IP addresses—regardless of which appliance is currently Active.
 
When using SonicWALL Global Management System (GMS) to manage the appliances, GMS logs into the shared WAN IP address. In case of a failover, GMS administration continues seamlessly, and GMS administrators currently logged into the appliance will not be logged out, however Get and Post commands may result in a timeout with no reply returned.
 
The following table lists the information that is synchronized and information that is not currently synchronized by Stateful High Availability.

 

Information that is Synchronized
Information that is not Synchronized
VPN information
Dynamic WAN clients (L2TP, PPPoE, and PPTP)
Basic connection cache
Deep Packet Inspection (GAV, IPS, and Anti Spyware)
FTP
IPHelper bindings (such as NetBIOS and DHCP)
Oracle SQL*NET
SYNFlood protection information
Real Audio
VoIP protocols
GVC information
Dynamic ARP entries and ARP cache timeouts
Dynamic Address Objects
Active wireless client information
DHCP server information
wireless client packet statistics
Multicast and IGMP
Rogue AP list
Active users
ARP
SonicPoint status
Wireless guest status
RIP and OSPF information
License information
Weighted Load Balancing information

Security Services and Stateful High Availability

High Availability pairs share a single set of security services licenses and a single Stateful HA license. These licenses are synchronized between the Active and Idle appliances in the same way that all other information is synchronized between the two appliances. For information on license synchronization refer SonicOS: Enhanced 5.0 High Availability License Sync Feature Module (PDF) and Configuring High Availability in SonicOS Enhanced 


Stateful High Availability Example

The following figure shows a sample Stateful High Availability network. In case of a failover, the following sequence of events occurs:

    

1. A PC user connects to the network, and the Primary SonicWALL security appliance creates a session for the user.

2. The Primary appliance synchronizes with the Backup appliance. The Backup now has all of the user’s session information.

3. The power is unplugged from the Primary appliance and it goes down.

4. The Backup unit does not receive heartbeat messages from the Primary appliance and switches from Idle to Active mode.

5. The Backup appliance begins to send gratuitous ARP messages to the LAN and WAN switches using the same Virtual MAC address and IP address as the Primary appliance. No routing updates are necessary for downstream or upstream network devices.

6. When the PC user attempts to access a Web page, the Backup appliance has all of the user’s session information and is able to continue the user’s session without interruption.
Authored by: Guru Corner
Click Here to View all the questions in SonicWALL category.
File Attachments File Attachments
There are no attachment file(s) related to this question.
Article Information Additional Information
Article Number: 305
Created: 2013-07-07 8:02 PM
Rating: No Rating
 
Article Options Article Options
Print Question Print this Question
Export to Adobe PDF Export to PDF File
Export to MS Word Export to MS Word
 
Search Knowledge Base Search Knowledge Base
 
 

Powered by Guru Corner