Applies To:

Show Versions Show Versions

Manual Chapter: FirePass® Controller version 5.5 Administrator Guide: Using FirePass Controllers in Clusters
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


12

Using FirePass Controllers in Clusters


Understanding FirePass controller clusters

You can set up FirePass 4000 or 4100 controllers in a cluster configuration to support large numbers of concurrent connections without performance degradation. A cluster is a group of FirePass controller nodes that provide common user services, and can distribute the load of active sessions across all controllers in the cluster. A cluster node can consist of a single FirePass controller, or a failover pair of controllers.

A cluster consists of one primary (or master) node and up to a maximum of nine secondary (or slave) nodes. The primary node first handles incoming connections, and then redirects each session to an available secondary node, or services the connection itself. Alternately, you can configure for direct logon to any cluster node if you do not want the primary node to load-balance, or if you are using an external load balancer. The primary node maintains configuration for all user groups and user resources provided by the cluster. Each secondary node services user sessions as requested by the primary node, and independently maintains its own network configuration.

Understanding synchronization in clusters

The primary node plays a central role in a cluster for all the user-related configuration (user groups and user resource settings). You create and configure user groups and resource group favorites on the primary node.

To synchronize resource configuration information across all cluster nodes, the primary node distributes configuration updates to each secondary node. Once a user is logged on, the secondary node reports its updates to the primary node as an input to the primary node's load-balancing decision. Data synchronized from the secondary nodes back to the primary includes: password updates, additions and changes to personal favorites, and updates to other account settings. This synchronization process allows any primary or secondary controller to service a user's logon request and subsequent session. For more information about synchronizing web services, see Configuring clustering synchronization.

Clustering is ideal for large enterprises and service providers, and allows for easy scalability, with increased performance and fault tolerance across all cluster nodes. For large deployments, a FirePass 4100 cluster can contain up to ten nodes, supporting up to 20,000 concurrent connections, though there is no limit on the number of user accounts.

Installing FirePass controllers as a cluster

To complete procedures in this chapter, you must already have installed the FirePass controllers and have completed their network and web service configuration. For installation information, see the FirePass Controller Getting Started Guide, available as a separate document. For initial network configuration information, see Configuring web services, on page 8-17.

Important

Always back up any FirePass controller before configuring clustering. For more information on backup operations, see Backing up and restoring the FirePass controller, on page 8-37.

Configuring FirePass controller clusters

Once you have installed each member of your cluster, you can configure the clustering settings for each controller. The procedures in this section guide you through the process of setting up FirePass controller cluster members.

To begin configuring cluster members:

  • You must have multiple FirePass 4000 or 4100 systems available.
  • Each system must be running the same software version and must have the same hot-fixes, if any, installed.
  • Every cluster member must have its own individual license that supports identical features and the same number of concurrent users.
  • Each node in the cluster must have a valid certificate and be publicly accessible from outside the LAN using its own unique IP address or fully-qualified domain name (FQDN).

To ensure the highest level of availability, you should use multiple failover pairs as cluster nodes. If this is not possible, F5 Networks recommends at a minimum, that you make the primary node a failover pair.

Note

Any cluster node can be a failover pair of FirePass controllers. Configure redundant systems (failover pairs) before configuring clusters. For more information about configuring failover pairs, see Chapter 10, Using FirePass Controllers for Failover.

Making configuration changes in clusters

You can change some configuration settings only on the primary node:

  • User account information and master group settings
  • Favorites for Network Access, Portal Access, and Application Access
  • Customization options

When you connect to a secondary node, you are limited to changing network settings and clustering configuration options that the primary node does not control. For example, because you cannot change user and group account information on secondary nodes, the secondary node presents no user or group options. These options are not available on any secondary node to prevent conflicts during synchronization.

Understanding the configuration process

To configure FirePass controllers as a cluster, you need to complete several tasks in a specific order.

  • Enable clustering
    The first task in configuring a cluster of controllers is to enable clustering on each node. When you configure the primary node, record the specified Cluster ID and the Cluster/Failover Global ID for use in configuring the secondary nodes. For more information, see Enabling clustering.
  • Set up synchronization
    The second task is to configure synchronization.
    • Create a synchronization service
      In order for clustered controllers to remain synchronized, you must configure at least one synchronization service on each controller in the cluster. This should be a different web service from the one you create for user access. For more information about configuring synchronization services, see Configuring a synchronization service.
    • Configure synchronization
      When you configure synchronization, you pair an IP address and port on the primary node with an IP address and port on each of the secondary nodes. For more information on configuring synchronization, see Configuring synchronization.
  • Verify that the cluster configuration is working
    After you have configured the cluster nodes, but before allowing remote clients to access the cluster, verify that all controllers are working properly. For more information, see Verifying the cluster configuration.
  • Enable Load balancing
    Load balancing is the process the primary node uses to distribute user sessions among all the nodes in the cluster. If you want to use the cluster for load balancing, you must define at least one user service on the primary node and at least one on the secondary node. The user service must allow HTTP and HTTPS access so that the users can access the service from outside the network. For more information, see Configuring load balancing .
Note

As an alternative, you can use a BIG-IP Local Traffic Manager for load balancing a cluster. For more information, see the associated deployment guide on the F5 Solution Center at http://www.f5.com/solutions/.

Enabling clustering

Enabling clustering involves specifying the number of nodes in the cluster, designating one as the primary node, and standardizing the Cluster ID and Clustering/Failover Global ID on each of the nodes to be used in the cluster. After you have enabled clustering and restarted the controller, you can make additional configuration changes on newly available clustering screens.

Tip


If you are enabling clustering on a pair of controllers in a failover configuration, set up clustering on the active controller.

For the primary node, complete the following procedure.

To enable clustering on the primary node

  1. In the navigation pane, click Device Management, expand Configuration, and click Clustering and Failover.
    The Clustering and Failover screen opens.
  2. In the Clustering (Load-Balancing) Configuration area, check the Enable Clustering Configuration check box.
  3. In the Total Number of Cluster Nodes box, specify the number of nodes the cluster contains.
    A node can consist of a single FirePass controller or a failover pair of controllers.
  4. From the Cluster Node Master/Slave list, select Master.
  5. Copy the value from the Cluster ID box.
    Paste this value into a text file or write it down. You will need this value to configure the secondary nodes.
  6. In the Clustering/Failover Global ID area, copy the value from Cluster/Failover Global ID box.
    Paste this value into a text file or write it down. You will need this value to configure the secondary.
  7. To commit the settings, click the Apply Clustering/Failover Settings button.
  8. When prompted to restart the controller, click the indicated text, that says here.

For each secondary node, complete the following procedure.

To enable clustering on a secondary node

  1. In the navigation pane, click Device Management, expand Configuration, and click Clustering and Failover.
    The Clustering and Failover screen opens.
  2. In the Clustering (Load-Balancing) Configuration area, check the Enable Clustering Configuration check box.
  3. In the Total Number of Cluster Nodes box, specify the number of nodes the cluster contains.
  4. From the Cluster Node Master/Slave list, select Slave.
  5. Into the Cluster ID box, paste the value you copied from this field on the primary node in step 5 in To enable clustering on the primary node, preceding.
  6. Into the Cluster/Failover Global ID box in the Clustering/Failover Global ID area, paste the value you copied in step 6 in To enable clustering on the primary node, preceding.
  7. To commit the settings, click the Apply Clustering/Failover Settings button.
  8. When prompted to restart the controller, click the indicated text, here.
Important

Whenever you turn on a cluster member, always start the primary node first. If the primary node is not available when the remaining cluster members start up, the cluster cannot function properly. For this reason, we recommend that the primary node be a failover pair.

Configuring clustering synchronization

After you have enabled clustering on each node, you can configure synchronization. All traffic goes to the primary node first. The primary node manages cluster synchronization and, if load balancing is enabled, distributes user-session processing among the secondary nodes. For more information about load balancing, see Configuring load balancing.

Configuring a synchronization service

Synchronization is the process used by the primary node to synchronize data with the secondary nodes of the cluster. Data synchronized from the primary node to each secondary node includes: user and group data (including authentication parameters), and favorites. Data synchronized from the secondary nodes back to the primary includes: password updates, additions and changes to personal favorites, and updates to other account settings.

When load balancing is enabled, the primary node distributes user sessions to each secondary node, and each secondary node handles user sessions delegated to it by the primary node of the cluster. Load balancing operations require synchronized data on the cluster members.

To configure the primary and secondary nodes of a cluster for synchronization, you must designate a synchronization service and configure synchronization on each node.

The following requirements affect how you configure the synchronization service.

  • The service must allow HTTP connections. For this reason, you should not configure it on a port that is also configured for user services.
  • The service cannot be redirected to another service (for example, HTTPS).
  • If the service is on a redundant system (failover pair), you should configure it on the pair's shared, virtual IP address.
  • You can use the same synchronization port as the one configured for failover synchronization.

Configuring the synchronization service

Complete the following procedure on the primary node first, then complete the procedure on each secondary node.

To configure a synchronization service

  1. In the navigation pane, click Device Management, expand Configuration, and click Network Configuration, and click the Web Services tab at the top of the screen.
    The Web Server Configuration screen opens.
  2. In the Add new service area, from the IP list, select an IP address:
    • If the port is also configured for failover synchronization, select a shared, virtual IP address.
    • Otherwise, select a self IP address.
      Make a note of the IP address for the primary node and for each secondary node. You will need them for configuring synchronization parameters.
  3. In the Port box, type an unused port number.
    For example, type 82 in the Port box.
  4. In the Name field, type the FQDN of the FirePass controller.
  5. If the service is to be used for synchronizing failover pairs as well as cluster nodes, from the For Mode list, select ActiveOnly.
  6. To add the service, click Add New.
    The Web Service Configuration for <Hostname or IP Address> screen opens.
  7. On the Web Service Configuration for <Hostname or IP Address> screen:
    1. Check the Do not redirect the HTTPS check box.
    2. Check the Synchronization Agent check box.
    3. Leave all other options unchecked.
  8. To update the synchronization service settings, click Update.
Important

Although the settings do not take effect until you complete the finalize operation and restart the controller, the FirePass controller cannot compete the finalize operation until all clustering settings are fully configured.

Tip


You can use a single web service for both cluster synchronization and failover synchronization. For more information about configuring a wev service for failover, see Configuring a web service as a synchronization agent for the active controller's self IP address, on page 10-12.

Configuring synchronization

After you configure a synchronization service, you must pair the service with the corresponding service on each secondary node.

Configuring synchronization on the primary node

Now, you complete the procedure on the primary node.

To configure synchronization parameters on the primary node

  1. In the navigation pane, click Clustering.
    The Clustering Settings screen opens.
  2. Click the Please click here to set up the cluster network configuration link.
    The Device Management : Configuration : Network Configuration screen opens with the Clustering tab selected.
  3. In the Internal Synchronization area, from the Service On Master list, select the IP address and port number of the synchronization service you configured.
  4. In Service on Slave N, type the IP address and port of the corresponding synchronization service settings for each secondary node.
  5. To update the synchronization settings, click Update Table.
  6. Click the Finalize tab at the top of the screen.
    The Finalize Settings screen opens.
  7. Click Finalize Changes to finalize the configuration.
  8. When prompted, restart the controller.

Configuring synchronization on the secondary nodes

Now, you complete the procedure on each secondary node. The process is almost the same as configuring the primary node, except for the differences in the Internal Synchronization parameters.

To configure synchronization parameters on a secondary node

  1. In the navigation pane, click Clustering.
    The Clustering Settings screen opens.
  2. Click the Please click here to set up the cluster network configuration link.
    The Device Management : Configuration : Network Configuration screen opens with the Clustering tab selected.
  3. In the Internal Synchronization area, from the Service On Slave list, select the IP address and port number of the synchronization service you configured.
  4. In Service on Master, type the corresponding IP address and port of the synchronization service on the primary node.
  5. To update the synchronization settings, click Update Table.
  6. Click the Finalize tab at the top of the screen.
    The Finalize Settings screen opens.
  7. Click Finalize Changes to finalize the configuration.
  8. When prompted, restart the controller.

Configuring a synchronization interval

Before synchronization can work, you must enable clustering and configure synchronization settings. For more information, see Enabling clustering and Configuring clustering synchronization.

To specify a synchronization interval

  1. In the navigation pane, click Device Management, expand Configuration, and click Clustering and Failover.
    The Clustering and Failover screen opens.
  2. In Synchronization Interval, specify the length of time you want to leave between the start of synchronization operations.
    The default interval is ten seconds, which should work for most configurations. If there is a large amount of data to synchronize, the process might not complete in ten seconds, so you should specify a longer interval. You can watch the Stats screen to determine how long synchronization takes. Then you can set an interval sufficiently large to make sure that the operation completes.
  3. To commit the settings, click the Apply Clustering/Failover Settings button.
  4. When prompted to restart the controller, click the indicated text, here.
  5. Repeat this process for each secondary node.

Verifying the cluster configuration

After configuring the primary and secondary nodes, you must verify clustering functionality before allowing access to any remote users.

To verify that your cluster configuration is working

  1. In the navigation pane of the primary node, click Clustering, and then click Stats.
    The Current cluster stats screen opens.
  2. On the Stats screen, in the Last Sync column, verify that the primary and secondary controllers are synchronizing using the interval you specified in Configuring a synchronization interval, preceding.

Tip


To update values on the Stats screen, click the Stats item in the navigation pane.

Configuring load balancing

Optionally, you can configure the load balancing feature of FirePass controller clusters. Balancing the load guarantees that no single controller becomes overloaded while another controller goes under used. By default, load balancing is turned off. With load balancing enabled, the primary node assigns sessions randomly among the secondary controllers.

Note

As an alternative, you can use a BIG-IP Local Traffic Manager for load balancing a cluster. For more information, see the associated deployment guide on the F5 Solution Center at http://www.f5.com/solutions/.

Configuring load balancing on the primary node

After you enable load balancing on the primary node, you must associate its HTTP and HTTPS-enabled, User web service with the corresponding service on each secondary node.

To configure load balancing on the primary node

  1. In the navigation pane, click Clustering, and click Settings.
    The Clustering Settings screen opens.
  2. Click the Please click here to set up the cluster network configuration link.
    The Device Management : Configuration : Network Configuration screen opens with the Clustering tab active.
    The Load Balancing table contains a row for each HTTP-enabled and HTTPS-enabled, User web service on the primary node, and each row contains columns representing each secondary node.
    • Service On Master
      Represents the primary node.
    • Service On SlaveN
      Represents each secondary node in the cluster.
  3. For each column, type the IP address and port of the HTTP-enabled and HTTPS-enabled, User-access configured web service on the corresponding secondary node.
  4. To commit the settings, click Update Table.
  5. Click the Finalize tab at the top of the screen.
    The Finalize Settings screen opens.
  6. Click Finalize Changes to finalize the configuration.
  7. When prompted, restart the controller.

Configuring load balancing on the secondary node

After you enable load balancing on each secondary node, you must associate its HTTP and HTTPS-enabled, User web service with the corresponding service on the primary node.

To configure load balancing on the secondary nodes

  1. In the navigation pane, click Clustering, and click Settings.
    The Clustering Settings screen opens.
  2. Click the Please click here to set up the cluster network configuration link.
    The Device Management : Configuration : Network Configuration screen opens with the Clustering tab active.
    The Load Balancing table contains a row for each HTTP-enabled and HTTPS-enabled, User web service on the primary node, and each row contains columns representing each secondary node.
    • Service On Slave
      Represents the secondary node you are logged on to.
    • Service On Master
      Represents the primary node.
      In this column, type the IP address and port number representing the primary node's web service you want to associate with the secondary node.
  3. To commit the settings, click Update Table.
  4. Click the Finalize tab at the top of the screen.
    The Finalize Settings screen opens.
  5. Click Finalize Changes to finalize the configuration.
  6. When prompted, restart the controller.

Activating load balancing

Before you can activate load balancing, you must first enable clustering and configure synchronization. For more information, see Enabling clustering and Configuring clustering synchronization.

To activate load balancing

  1. In the navigation pane, click Clustering, and then click Settings.
    The Clustering : Settings screen opens.
  2. From the Load Balancing list, select Random.
    Random represents an unstructured and irregular assignment of user sessions among the cluster members. If you select Off, no load balancing occurs, and the user selects a node at logon time.
  3. Check the Allow optional manual logon to slave nodes from master logon page while configuring load balancing algorithm check box to have the FirePass controller present users a list from which they can select the node they want to log on to.

Verifying the load balancing configuration

After configuring load balancing on the primary and secondary nodes, you should verify that the feature works properly before allowing access to any remote users.

To verify that load balancing is working

  1. In the navigation pane, click Clustering, and then click Stats.
    The Current clustering stats screen opens.
  2. Verify that the value shown in the Last Sync column does not exceed the interval you specified in Configuring a synchronization interval.
  3. Leave the administrator session active in one instance of the browser, and use another instance of the browser to log on as a user.
  4. From the Preferred Node list on the user logon page, select each clustering node.
    Make sure that the same user can log on to each node.
  5. From the Preferred Node list on the user logon page, select Autoselect, and log on and off repeatedly.
  6. In the administrative session, view the statistics to determine whether the primary controller has redirected the user session to a randomly selected secondary node.
  7. Because the primary controller can also serve user sessions, the user session might remain on the primary node even when load balancing is correctly configured. If the user session is not redirected, log on as a second user, and check the statistics again.

  8. Check the logs on the primary node for errors.
    If the primary node cannot redirect the session, it creates an entry in the system logs. You can check the system logs to determine the error and correct it, if possible. To access the logs, in the navigation screen, click Reports.

Managing a cluster configuration

After you have configured the FirePass controller cluster and verified that it is working properly, you can manage the cluster and make additional configuration changes.

Accessing a secondary controller's configuration

There are several ways to access a secondary controller.

  • In a web browser's address bar, type <IP address/admin/> or
    <fully qualified domain name/admin/>.
  • Select the secondary node you want to access from the Preferred node list when you log on to the primary node.
  • Use the logon page on the primary controller, if the Allow optional manual logon to slave nodes from master logon page setting is checked.
  • Access the secondary node from within the primary node.
    • In the navigation pane of the primary node, click Clustering, and then click Slave Admin.
    • Click the link for the secondary controller that you want to access, and then log on.

Tip


To return to the primary controller, type the FQDN for the primary controller in your web browse's address bar, and then log on.

Once you log on to a secondary node, you can check the system logs and the logon reports for entries that can help you troubleshoot problems. To access the reports, in the navigation screen, click Reports.

Displaying statistics for a FirePass controller cluster

You can display operational statistics for a controller cluster in near-real time.

To display statistics for a FirePass controller cluster

  1. Log on to the primary FirePass controller in the cluster.
  2. In the navigation pane, click Clustering, and then click Stats.
    The Clustering : Stats screen opens.

Statistics presented include the number of sessions active on each node, the associated CPU load, the number of TCP/IP connections, and the interval since the most recent primary-secondary synchronization operation.




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)