The Failover feature provides fault tolerance and guarantees that at least one server in a failover pair is accessible to users in the unlikely event of a server failure. The failover pair (an active server and a standby server) provide hot, stateful failover without session interruption or termination. If the active server has a failure, all session data is automatically preserved. The failover transfer process to the standby server is usually transparent to users, although occasionally a new session initiated since the most recent synchronization update may need to be restarted.
The active and standby servers communicate with each other using a heartbeat. Each server can detect when the other server fails, and in case of failure it automatically restarts applications on the operating server. The standby server uses IP takeover to take over sessions if the active server has a failure.
All FirePass servers are licensed initially as standalone servers. If you want to configure a pair of failover servers, you need to obtain new licenses. Contact your sales representative or Technical Support, and provide them with the serial numbers of the servers to be configured as a failover pair, or request a new license for each server by navigating to Server/Settings and clicking the link to request a new license. For more information, see Managing FirePass licenses.
If you are installing two single-NIC FirePass servers in failover pairs, simply connect the servers to the network.
If you are connecting two dual-NIC FirePass servers in failover pairs, connect the same corresponding NICs to the same subnet on both servers. For example, connect the internal NIC on both servers to the same subnet.
For two single-NIC failover servers, you need at least three static IP addresses: one IP address for the NIC in each server, and a "virtual" IP address for the failover pair itself.
For two dual-NIC failover servers, you need at least five static IP addresses: two IP addresses for each server's NICs, and a virtual IP address for the failover pair itself.
To add or change the IP addresses in the failover pair, you specify the IP addresses in the IP configuration panel for both servers. (For information on accessing the IP configuration panel, see Configuring IPSec for the FirePass server.)
These addresses must be configured for both failover servers:
If you change the Local Name IP address for either server, you must specify the same Local Name IP address for the server in the Configure Failover Pair panel. For more information, see Configuring the failover settings.
When you power up failover servers for the first time, the first server you start automatically becomes the active server and uses the virtual IP address. The other server becomes the standby server. The two servers remain in this state until either the active server fails and the standby server takes over, or until you restart the active server and the standby server becomes the active server.
If both servers are powered up simultaneously, the server with the lexically-lower name is the Active server. For example, Prowler1 has precedence over Prowler2.
To configure servers as members of a failover pair, you must configure both:
To serve as a member of a failover pair, the server must have a virtual IP address configured for each NIC. This virtual address must be shared with the corresponding NIC of the other member of the failover pair. This is what links them as members of a failover pair. If you have not already done so, add a virtual IP address for each NIC, using the Server/Maintenance/Network Configuration/IP Config screen on each server.
A failover pair must also have reciprocal settings for their respective heartbeat configurations.
The current active member of a failover pair sends regular "I am alive" signals, or heartbeats, to the standby member of the pair. Heartbeat settings tell this server what IP address and port to use for the heartbeat while it is the active member of the pair. The destination of the signal must be the other member of the failover pair.
Ordinarily you provide heartbeat settings for each NIC on one server, and then you make corresponding, reciprocal entries for each corresponding NIC on the other server member of this failover pair.
FirePass 4000 servers (or failover pairs of servers) can be clustered to support many concurrent connections on a single logical URL without performance degradation. Load balancing distributes the sessions among the available servers to maximize throughput.
Each server (or failover pair) in the cluster must have a valid certificate and be publicly accessible from outside the LAN using its own unique fully-qualified domain name.
The master node distributes configuration updates (for example, available system resources, new authorized users, and current user access rights) to the slaves, once per minute. This synchronization allows any slave to service any user session.
Clustered servers do not share session information. Each session is established with a single server.
The master server in a cluster balances the load among slaves by redirecting sessions to slaves. To make this possible, the slaves report their number of currently active sessions as a part of the synchronization process.
You cannot change some configuration settings on slave servers. These changes must be made on the master, so they are replicated across all slaves during synchronization. When you use the Administration Console to connect to a slave server, the configuration options that you cannot change in slave servers are not available. For example, you cannot change user and group account information in the slave servers, and consequently the Users tab is not displayed when you connect to a slave server. To make global configuration changes to a cluster, always connect to the master server. The configuration information flows from the master to the slaves.
To connect several FirePass servers as a cluster, connect the primary NICs to the same subnet unless they are installed in different geographic locations.
Whenever you power up the server cluster, always power up the master server first. If the master server is not available when the slave servers power up, then the cluster does not work properly.
A cluster consists of one master node and up to nine optional slave nodes. The master node is responsible for handling incoming connections and redirecting each session to an available slave. The master node is also responsible for maintaining configuration information on itself and all slave nodes. The master itself can also function as an available slave.
To configure this server as a member of a cluster, you must first have installed a license that enables clustering, and that indicates the role of this server (as a master or slave). Go to Server/Settings and click the Request a new license link, or contact your sales representative or technical support contact for assistance. For more information about licensing, see Managing FirePass licenses.
To allow your clustered servers to remain synchronized, you must also have configured at least one Synchronization service on each server in the cluster. To configure a service for synchronization, navigate to Server/Network Configuration/Web Services. For more about configuring services, see Configuring services.
To configure Load Balancing, you must also have defined at least one User service allowing HTTP access -- that is, a service available for user access from outside the network -- on each server node of the cluster.
To configure an available User service, navigate to Maintenance/Network Configuration/Web Services. For more about configuring services, see Configuring services.
You also can configure the method, or algorithm, FirePass uses to distribute sessions. FirePass can assign sessions randomly among the slave servers, or it can maintain an even session count among them.
To change the load balancing algorithm, go to the Clustering tab at the left of the Administrative Console, and click Settings. Choose Random for random assignment of sessions. Choose Off for even distribution of session counts.
These settings do not take effect until you have committed them using the Finalize screen.
You can access a slave server's configuration while you are connected to a master server using the Administrative Console.
You can display operational statistics for a server cluster in near-real time. The statistics include the number of sessions active on the servers, the average bitrate and CPU load, and the time of the most recent master-slave synchronization.