HP VPN Firewall Appliances High Availability Configuration Guide

Configuring stateful failover

Stateful failover overview

Some customers require the key entries or access points of their networks, such as the Internet access

point of an enterprise or a database server of a bank, to be highly reliable to ensure continuous data

transmission. Deploying only one device (even with high reliability) in such a network risks a single point

of failure, as shown in Figure 27. S

tateful

failover can solve this problem.

Figure 27 Network with one device deployed

Operating procedure

Stateful failover involves service backup and traffic switchover. Stateful failover works as follows:

1. As shown in Figure 28, Device A and Devic

e B connect to each other over a failover link.

2. The two devices exchange state negotiation messages periodically through the failover link. After

the two devices enter the synchronized state, they back up the sessions of each other to make sure

that the sessions on them are consistent.

3. If one device fails, the other device can take over the services by using VRRP or a dynamic routing

protocol (such as OSPF) to avoid service interruption.

The stateful failover feature supports backing up NAT, ALG, blacklist, ASPF, and IPsec services.