Applies To:

Show Versions Show Versions

Manual Chapter: FirePass® Controller version 6.0 Administrator Guide: Using FirePass Controllers in Clusters
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


12

Using FirePass Controllers in Clusters


Understanding FirePass controller clusters

You can set up FirePass 4000 or 4100 controllers in a cluster configuration to support large numbers of concurrent connections without performance degradation. A cluster is a group of FirePass controller nodes that provide common user services, and can distribute the load of active sessions across all controllers in the cluster. The process the primary node uses to distribute user sessions among all the nodes in the cluster is called load balancing.

A cluster node represents one station in a cluster, and can consist of a single FirePass controller, or a failover pair (redundant system) of controllers. A cluster consists of one primary (or master) node and up to a maximum of nine secondary (or slave) nodes. The primary node first handles incoming connections, and then redirects each session to an available secondary node, or services the connection itself. The primary node maintains configurations for all user groups and user resources the cluster supports. Each secondary node services user sessions as requested by the primary node, and independently maintains its own network configuration.

Clustering is ideal for large enterprises and service providers, and allows for easy scalability, with increased performance and fault tolerance across all cluster nodes. For large deployments, a FirePass 4100 cluster can contain up to ten nodes, supporting up to 20,000 concurrent connections, though there is no limit on the number of user accounts.

As an alternative, you can specify that the user select the cluster node if you do not want the primary node to balance the load, or you can use an external load-balancing method. For information about using the BIG-IP Local Traffic Manager as the load-balancing mechanism, see the associated deployment guide on the F5 Networks web site Solution Center at http://www.f5.com/solutions/.

Understanding synchronization in clusters

The primary node plays the central role in a cluster for all the user-related configuration (user groups and user resource settings). You create and configure user groups and resource group favorites on the primary node. When load balancing is enabled, the primary node distributes user sessions to each secondary node, and each secondary node handles user sessions delegated to it by the primary node of the cluster. The secondary nodes get this information from the primary node during the synchronization process. Synchronization is the process used by the primary node to synchronize data with the secondary nodes of the cluster.

Load balancing operations require synchronized data on the cluster members. The synchronization process makes it possible for any primary or secondary controller to service a user's logon request and subsequent session. To synchronize resource information across all cluster nodes, the primary node distributes configuration updates to each secondary node. Data synchronized from the primary node to each secondary node includes: user and group data (including authentication parameters), and favorites.

Once a user is logged on, the secondary node reports its updates to the primary node as an input to the primary node's load-balancing decision. Because users can perform operations that change user-specific data, the FirePass controller synchronizes some data from the secondary nodes back to the primary node. These updates include password changes, additions and changes to personal favorites, and modifications to other account settings.

For more information about synchronizing web services, see Configuring clustering synchronization .

Installing FirePass controllers as a cluster

To complete procedures in this chapter, you must already have installed the FirePass controllers and have completed the initial network and web service configuration. For setup information, see the FirePass Controller Getting Started Guide, available as a separate document on the AskF5 web site at http://tech.f5.com. For initial network configuration information, see Configuring web services .

Important

Always back up any FirePass controller before configuring clustering. For more information on backup operations, see Backing up and restoring the FirePass controller .

Configuring FirePass controller clusters

Once you have set up each member of your cluster, you can configure the clustering settings for each controller. The procedures in this section guide you through the process of setting up FirePass controller cluster members.

Here are the requirements for configuring cluster members:

  • You must have multiple FirePass 4000 or 4100 systems available.
  • Each system must be running the same software version and must have the same hot-fixes, if any, installed.
  • Every cluster member must have its own individual license that supports identical features and the same number of concurrent users, except for any failover-only members, which should have the failover-only license activated.
  • Each node in the cluster must have a valid certificate and be publicly accessible from outside the LAN using its own unique IP address or fully-qualified domain name (FQDN).

To ensure the highest level of availability, you should use multiple pairs of FirePass controllers as cluster nodes. If this is not possible, F5 Networks recommends at a minimum, that you make the primary node a redundant system.

Note

Any cluster node can represent a redundant system of pairs of FirePass controllers. If you plan to use redundant systems as nodes in the cluster, configure them before configuring clusters. For more information about configuring redundant systems, see Chapter 11, Using FirePass Controllers for Failover .

Making configuration changes in clusters

You can change some configuration settings only on the primary node:

  • User account information and master group settings
  • Favorites for Network Access, Portal Access, and Application Access
  • Customization options

When you connect to a secondary node, you are limited to changing network settings and clustering configuration options that the primary node does not control. For example, because you cannot change user and group account information on secondary nodes, the secondary node presents no user or group options. These options are not available on any secondary node to prevent conflicts during synchronization.

Understanding the configuration process

To configure FirePass controllers as a cluster, you need to complete several tasks in a specific order.

  • Enable clustering
    The first task in configuring a cluster of controllers is to enable clustering on each node. When you configure the primary node, record the specified Cluster ID and the Cluster/Failover Global ID for use in configuring the secondary nodes. For more information, see Enabling clustering .
  • Specify log consolidation settings
    The next task is to determine whether you want to consolidate logs for nodes in the cluster. For more information, see Consolidating logs .
  • Set up synchronization
    The third task is to configure synchronization, which consists of two parts:
    • Create a synchronization service
      In order for clustered controllers to remain synchronized, you must configure at least one synchronization service on each controller in the cluster. This should be a different web service from the one you create for user access. For more information about configuring synchronization services, see Configuring a synchronization service .
    • Configure synchronization
      When you configure synchronization, you associate an IP address and port on the primary node with an IP address and port on each of the secondary nodes. For more information on configuring synchronization, see Configuring synchronization .
  • Verify that the cluster configuration is working
    After you have configured the cluster nodes, but before allowing remote clients to access the cluster, verify that all controllers are working properly. For more information, see Verifying the cluster configuration .
  • Enable Load balancing
    If you want to use the cluster for load balancing, you must define at least one user service on the primary node and at least one on each secondary node. The user service must be configured to allow HTTP and HTTPS access so that users can access the service from outside the network. For more information, see Configuring load balancing .
Note

As an alternative, you can use a BIG-IP Local Traffic Manager for load balancing a cluster. For more information, see the associated deployment guide on the F5 Solution Center at http://www.f5.com/solutions/.

Consolidating logs

You can use log consolidation settings to view information about all cluster members in a single location on the primary node. Consolidating logs simplifies the monitoring process for cluster node members. In order to have the primary node receive log information from the secondary nodes, you must enable log-consolidation settings on the Device Management : Configuration : Clustering and Failover screen. For procedures containing these steps, see Enabling clustering , following.

You can view consolidated logs on the primary node in Reports. Logs that contain consolidated data include a Cluster Node column in the report. The report contains data for each cluster node, including the primary node.

You can get node-specific statistics on the Device Management : Monitoring : System Load screen by selecting an IP address from the Cluster Node list.

Enabling clustering

Enabling clustering involves specifying the number of nodes in the cluster, designating one as the primary node, and standardizing the Cluster ID and Clustering/Failover Global ID on each of the nodes to be used in the cluster. After you have enabled clustering and restarted the controller, you can make additional configuration changes on newly available clustering screens.

Tip


If you are enabling clustering on a pair of controllers in a failover configuration, set up clustering on the active controller.

Configuring the primary node

For the primary node, complete the following procedure.

To enable clustering on the primary node

  1. In the navigation pane, click Device Management, expand Configuration, and click Clustering and Failover.
    The Clustering and Failover screen opens.
  2. In the Clustering (Load-Balancing) Configuration area, check the Enable Clustering Configuration check box.
  3. In the Total Number of Cluster Nodes box, specify the number of nodes the cluster contains.
    A node can consist of a single FirePass controller or a redundant system of a pair of controllers.
  4. From the Cluster Node Master/Slave list, select Master.
  5. To enable the consolidation of logs from the secondary nodes, check Enable Log Consolidation.
    To complete log consolidation, you must also check Synchronize Log to Master on each secondary node. For more information, see Consolidating logs .
  6. Copy the value from the Cluster ID box.
    Paste this value into a text file or write it down. You will need this value to configure the secondary nodes.
  7. In the Clustering/Failover Global ID area, copy the value from the Cluster/Failover Global ID box.
    Paste this value into a text file or write it down. You will need this value when you configure the secondary nodes.
  8. To commit the settings, click the Apply Clustering/Failover Settings button.
  9. When prompted to restart the controller, click the indicated text, here.
  10. Continue with configuring the secondary nodes, following.

Configuring the secondary nodes

For each secondary node, complete the following procedure.

To enable clustering on a secondary node

  1. In the navigation pane, click Device Management, expand Configuration, and click Clustering and Failover.
    The Clustering and Failover screen opens.
  2. In the Clustering (Load-Balancing) Configuration area, check the Enable Clustering Configuration check box.
  3. In the Total Number of Cluster Nodes box, specify the number of nodes the cluster contains.
  4. From the Cluster Node Master/Slave list, select Slave.
  5. To pass log information back to the primary node, check Synchronize Log to master.
    To complete log consolidation, you must also check Enable Log Consolidation on the primary node. For more information, see Consolidating logs .
  6. Into the Cluster ID box, paste the value you copied from this field on the primary node in step 6 in To enable clustering on the primary node , preceding.
  7. Into the Cluster/Failover Global ID box in the Clustering/Failover Global ID area, paste the value you copied in step 7 in To enable clustering on the primary node , preceding.
  8. To commit the settings, click the Apply Clustering/Failover Settings button.
  9. When prompted to restart the controller, click the indicated text, here.
Important

Whenever you turn on a cluster member, always start the primary node first. If the primary node is not available when the remaining cluster members start up, the cluster cannot function properly. For this reason, we recommend that the primary node be a redundant system.

Configuring clustering synchronization

After you have enabled clustering on each node, you can configure synchronization. All traffic goes to the primary node first. The primary node manages cluster synchronization and, if load balancing is enabled, distributes user-session processing among the secondary nodes. For more information about load balancing, see Configuring load balancing .

Configuring a synchronization service

To configure the primary and secondary nodes of a cluster for synchronization, you must designate a synchronization service and configure synchronization on each node.

The following requirements affect how you configure the synchronization service.

  • The service must allow HTTP connections. For this reason, you should not configure it on a port that is also configured for user services.
  • The service cannot be redirected to another service (for example, HTTPS).
  • If the service is on a redundant system (failover pair), you should configure it on the pair's shared, virtual IP address.
  • You can use the same synchronization port as the one configured for failover synchronization.

Configuring the web service as a synchronization agent

The first step of synchronization configuration is to create a web service to serve as the synchronization agent, the service that synchronizes information on the cluster. You must complete this procedure on the primary node first, then complete the procedure on each secondary node.

To configure a synchronization service

  1. In the navigation pane, click Device Management, expand Configuration, and click Network Configuration, and click the Web Services tab at the top of the screen.
    The Web Server Configuration screen opens.
  2. In the Add new service area, from the IP list, select an IP address:
    • If the port is also configured for failover synchronization, select a shared, virtual IP address for the failover web service.
    • Otherwise, select a self IP address.
      Make a note of the IP address for the primary node and for each secondary node. You will need them for configuring synchronization parameters.
  3. In the Port box, type an unused port number.
    For example, type 82 in the Port box.
  4. In the Name field, type the FQDN of the FirePass controller.
  5. If the service is to be used for controllers in a redundant system, from the For Mode list, select ActiveOnly for the failover web service running on the shared, virtual IP address, or Always for the failover web service running on the dedicated, self IP address.
    Selecting the ActiveOnly setting causes the controller to load web services only when it is the active member in the redundant system. For more information about configuring redundant systems see Reviewing the configuration process .
  6. To add the service, click Add New.
    The Web Service Configuration for <Hostname or IP Address> screen opens.
  7. On the Web Service Configuration for <Hostname or IP Address> screen:
    1. Check the Do not redirect to HTTPS check box.
    2. Check the Synchronization Agent check box.
    3. Leave all other options cleared.
  8. To update the web service configuration, click Update.
Important

Although the settings do not take effect until you complete the finalize operation and restart the controller, the FirePass controller cannot compete the finalize operation until all clustering settings are fully configured.

Tip


You can use a single web service for both cluster synchronization and failover synchronization. For more information about configuring a web service for failover, see Configuring a web service as a synchronization agent for the active controller's self IP address .

Configuring synchronization

After you configure a synchronization service, you must associate that service on the primary node with the corresponding service on each secondary node.

Configuring synchronization on the primary node

First, you complete the procedure on the primary node.

To configure synchronization parameters on the primary node

  1. In the navigation pane, click Clustering.
    The Clustering Settings screen opens.
  2. Click the Please click here to set up the cluster network configuration link.
    The Device Management : Configuration : Network Configuration screen opens with the Clustering tab selected.
  3. In the Internal Synchronization area, from the Service On Master list, select the IP address and port number of the synchronization service you configured.
  4. In Service on Slave N, type the IP address and port of the corresponding synchronization service settings for each secondary node.
  5. To update the synchronization settings, click Update Table.
  6. Click the Finalize tab at the top of the screen.
    The Finalize Settings screen opens.
  7. Click Finalize Changes to finalize the configuration.
  8. When prompted, restart the controller.

Configuring synchronization on the secondary nodes

Next, you complete the procedure on each secondary node. The process is almost the same as configuring the primary node, except for the differences in the Internal Synchronization parameters.

To configure synchronization parameters on a secondary node

  1. In the navigation pane, click Clustering.
    The Clustering Settings screen opens.
  2. Click the Please click here to set up the cluster network configuration link.
    The Device Management : Configuration : Network Configuration screen opens with the Clustering tab selected.
  3. In the Internal Synchronization area, from the Service On Slave list, select the IP address and port number of the synchronization service you configured.
  4. In Service on Master, type the corresponding IP address and port of the synchronization service on the primary node.
  5. To update the synchronization settings, click Update Table.
  6. Click the Finalize tab at the top of the screen.
    The Finalize Settings screen opens.
  7. Click Finalize Changes to finalize the configuration.
  8. When prompted, restart the controller.

Configuring a synchronization interval

If you have a large number of FirePass controllers with clustering enabled, you can greatly reduce the clustering traffic by modifying the cluster synchronization interval. Before synchronization can work, you must enable clustering and configure synchronization settings.

For more information, see Enabling clustering and Configuring clustering synchronization .

To specify a synchronization interval

  1. In the navigation pane, click Device Management, expand Configuration, and click Clustering and Failover.
    The Clustering and Failover screen opens.
  2. In Synchronization Interval, specify the length of time you want to leave between the start of synchronization operations.
    The default interval is ten seconds, which should work for most configurations. If there is a large amount of data to synchronize, the process might not complete in ten seconds, so you should specify a longer interval. You can watch the Stats screen to determine how long synchronization takes. Then you can set an interval sufficiently large to make sure that the operation completes. We recommend 300 seconds as a reasonable interval for most configurations.
  3. To commit the settings, click the Apply Clustering/Failover Settings button.
  4. When prompted to restart the controller, click the indicated text, here.
  5. Repeat this process for each secondary node.

Configuring load balancing

For clustering to work, you must also configure the load balancing feature of FirePass controller clusters. Balancing the load guarantees that no single controller becomes overloaded while another controller goes under used. By default, load balancing is turned off. With load balancing enabled, the primary node assigns sessions randomly among the secondary controllers.

Note

As an alternative, you can use a BIG-IP Local Traffic Manager for load balancing a cluster. For more information, see the associated deployment guide on the F5 Solution Center at http://www.f5.com/solutions/.

Configuring load balancing on the primary node

After you enable load balancing on the primary node, you must associate its HTTP and HTTPS-enabled, User web service with the corresponding service on each secondary node.

To configure load balancing on the primary node

  1. In the navigation pane, click Clustering, and click Settings.
    The Clustering Settings screen opens.
  2. Click the Please click here to set up the cluster network configuration link.
    The Device Management : Configuration : Network Configuration screen opens with the Clustering tab active.
    The Load Balancing table contains a row for each HTTP-enabled and HTTPS-enabled, User web service on the primary node, and each row contains columns representing each secondary node.
    • Service On Master
      Represents the primary node.
    • Service On SlaveN
      Represents each secondary node in the cluster.
  3. For each column, type the IP address and port of the HTTP-enabled and HTTPS-enabled, User-access configured web service on the corresponding secondary node.
  4. To commit the settings, click Update Table.
  5. Click the Finalize tab at the top of the screen.
    The Finalize Settings screen opens.
  6. Click Finalize Changes to finalize the configuration.
  7. When prompted, restart the controller.

Configuring load balancing on the secondary node

After you enable load balancing on each secondary node, you must associate its HTTP and HTTPS-enabled, User web service with the corresponding service on the primary node.

To configure load balancing on the secondary nodes

  1. In the navigation pane, click Clustering, and click Settings.
    The Clustering Settings screen opens.
  2. Click the Please click here to set up the cluster network configuration link.
    The Device Management : Configuration : Network Configuration screen opens with the Clustering tab active.
    The Load Balancing table contains a row for each HTTP-enabled and HTTPS-enabled, User web service on the primary node, and each row contains columns representing each secondary node.
    • Service On Slave
      Represents the secondary node you are logged on to.
    • Service On Master
      Represents the primary node.
      In this column, type the IP address and port number representing the primary node's web service you want to associate with the secondary node.
  3. To commit the settings, click Update Table.
  4. Click the Finalize tab at the top of the screen.
    The Finalize Settings screen opens.
  5. Click Finalize Changes to finalize the configuration.
  6. When prompted, restart the controller.

Activating load balancing

Before you can activate load balancing, you must first enable clustering and configure synchronization. For more information, see Enabling clustering and Configuring clustering synchronization .

To activate load balancing

  1. In the navigation pane, click Clustering, and then click Settings.
    The Clustering : Settings screen opens.
  2. From the Load Balancing list, select Random.
    Random represents an unstructured and irregular assignment of user sessions among the cluster members. If you select Off, no load balancing occurs, and the user selects a node at logon time.
  3. Check the Allow optional manual logon to slave nodes from master logon page while configuring load balancing algorithm check box to have the FirePass controller present users a list from which they can select the node they want to log on to.

Verifying the cluster configuration

After configuring the primary and secondary nodes, you must verify clustering functionality before allowing access to any remote users.

To verify that your cluster configuration is working

  1. In the navigation pane of the primary node, click Clustering, and then click Stats.
    The Current cluster stats screen opens.
  2. On the Stats screen, in the Last Sync column, verify that the primary and secondary controllers are synchronizing using the interval you specified in Configuring a synchronization interval .

Tip


To update values on the Stats screen, click Stats in the navigation pane.

Verifying the load balancing configuration

After configuring load balancing on the primary and secondary nodes, you should verify that the feature works properly before allowing access to any remote users.

To verify that load balancing is working

  1. In the navigation pane, click Clustering, and then click Stats.
    The Current clustering stats screen opens.
  2. Verify that the value shown in the Last Sync column does not exceed the interval you specified in Configuring a synchronization interval .
  3. Leave the administrator session active in one instance of the browser, and use another instance of the browser to log on as a user.
  4. From the Preferred Node list on the user logon page, select each clustering node.
    Make sure that the same user can log on to each node.
  5. From the Preferred Node list on the user logon page, select Autoselect, and log on and off repeatedly.
  6. In the administrative session, view the statistics to determine whether the primary controller has redirected the user session to a randomly selected secondary node. Because the primary controller can also serve user sessions, the user session might remain on the primary node even when load balancing is correctly configured. If the user session is not redirected, log on as a second user, and check the statistics again.
  7. Check the logs on the primary node for errors.
    If the primary node cannot redirect the session, it creates an entry in the system logs. You can check the system logs to determine the error and correct it, if possible. To access the logs, in the navigation screen, click Reports.

Managing a cluster configuration

After you have configured the FirePass controller cluster and verified that it is working properly, you can manage the cluster and make additional configuration changes.

Accessing a secondary controller's configuration

There are several ways to access a secondary controller.

  • In a web browser's address bar, type <IP address/admin/> or
    <fully qualified domain name/admin/>.
  • Select the secondary node you want to access from the Preferred node list when you log on to the primary node.
  • Use the logon page on the primary controller, if the Allow optional manual logon to slave nodes from master logon page setting is checked.
  • Access the secondary node from within the primary node.
    • In the navigation pane of the primary node, click Clustering, and then click Slave Admin.
    • Click the link for the secondary controller that you want to access, and then log on.

Tip


To return to the primary controller, type the FQDN for the primary controller in your web browse's address bar, and then log on.

Once you log on to a secondary node, you can check the system logs and the logon reports for entries that can help you troubleshoot problems. To access the reports, in the navigation screen, click Reports.

Displaying statistics for a FirePass controller cluster

You can display operational statistics for a controller cluster in near-real time.

To display statistics for a FirePass controller cluster

  1. Log on to the primary FirePass controller in the cluster.
  2. In the navigation pane, click Clustering, and then click Stats.
    The Clustering : Stats screen opens.

Statistics presented include the number of sessions active on each node, the associated CPU load, the number of TCP/IP connections, and the interval since the most recent primary-secondary synchronization operation.




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)