HA Network Connections and Failovers
Once the HA cluster is running, the active and passive Screens poll each other every few seconds to verify connectivity and status. If the active Screen fails or becomes unavailable, the passive Screen that has been running the longest takes over within 15 seconds. During this time (before the passive Screen takes over), no traffic goes through the HA cluster.
HA is designed to maintain the great majority of network connections. During a reboot (an orderly shutdown), the active Screen being rebooted notifies the passive Screens, and the appropriate passive Screen takes over as the active Screen without loss of connections. Because the passive Screens do not forward, reject, or log packets, the load on passive Screens is less than the load on the active Screen. Consequently, load-induced faults that affect the active Screen are unlikely to have affected the passive Screens. Once the previously-passive secondary Screen becomes active, of course, it is subject to the same load that caused the failure.
Failover can disrupt the following connections:
-
Continued connections, for protocols that keep state (memory), such as TCP connections
-
Stateful connections, such as FTP, NFS, NIS, and RPC
These connections can be lost under any of the following conditions:
-
The Screen taking over the filtering does not have the same state information when the failover condition occurs
-
A connection through the HA cluster uses dynamic NAT and two or more connections have identical destination addresses, destination ports, or source ports
HA automatically disconnects if it is only running on one system, allowing it to act like a standard Screen.
You can configure a Screen as part of an HA cluster during installation. Alternatively, you can configure HA settings through the command line, as described in Appendix B, Configuration Editor Reference.
- © 2010, Oracle Corporation and/or its affiliates