Manualshelf

HP VPN Firewall Appliances High Availability Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
51525354555657585960
53
Figure 29 Stateful failover state relations
Configuration guidelines
When you configure stateful failover, follow these guidelines:
Stateful failover can be implemented only between two devices. The failover interfaces on the two
devices must have consistent configurations, including interface name, number of interfaces,
backup VLAN, and configuration order. If NAT is enabled on the stateful failover devices, the order
to create subinterfaces must be consistent.
On the standby device, do not perform configurations that can be synchronized from the active
device. For interface or security zone configurations, make sure the configuration order, name, and
index of the interfaces or security zones on the standby device are consistent with those on the
active device.
The same numbered interfaces must exist on the two devices. Otherwise, session backup fails. For
example, if Device A uses GigabitEthernet 0/1 and GigabitEthernet 0/3 to forward backup data,
Device B must also use GigabitEthernet 0/1 and GigabitEthernet 0/3.
To run NAT on two failover devices, you must configure two identical NAT address pools for each
device. The higher-priority address pool on a device must be different from that on the other.
Otherwise, a conflict might occur during backup. For example, you can configure two NAT address
pools, 100.0.0.1 through 100.0.0.5 (Pool 1) and 100.0.0.6 through 100.0.0.10 (Pool 2), on
devices A and B. Pool 1 has a lower priority on Device A, and Pool 2 has a lower priority on Device
B. For more information, see Access Control Configuration Guide.
Configure VRRP or a dynamic routing protocol on the failover devices and the uplink/downlink
devices to make sure that the traffic can automatically switch to the other device if one device fails.
While the active device synchronizes all configurations to the standby device, the redundant
configurations, if any, on the standby device are not removed. This might result in a synchronization
failure. To avoid this problem, HP recommends that you check the configurations on the active and
standby devices to make sure they are consistent before configuration synchronization.
An intermediary device (such as a router, a switch, or a hub) is allowed between the failover
interfaces. Make sure the packets forwarded by the intermediary device carry the backup VLAN
tag.
Do not directly connect two failover interfaces on the same stateful failover device.