SonicWALL 5.8.1 Microscope & Magnifier User Manual


  Open as PDF
of 1490
 
High Availability
1137
SonicOS 5.8.1 Administrator Guide
“Benefits” on page 1137
“How Does Stateful High Availability Work?” on page 1137
What is Stateful High Availability?
The original version of SonicOS Enhanced provided a basic High Availability feature where a
Backup firewall assumes the interface IP addresses of the configured interfaces when the
Primary unit fails. Upon failover, layer 2 broadcasts are issued (ARP) to inform the network that
the IP addresses are now owned by the Backup unit. All pre-existing network connections must
be rebuilt. For example, Telnet and FTP sessions must be re-established and VPN tunnels
must be renegotiated.
Stateful High Availability (SHA) provides dramatically improved failover performance. The
Primary and Backup appliances are continuously synchronized so that the Backup can
seamlessly assume all network responsibilities if the Primary appliance fails, with no
interruptions to existing network connections.
Benefits
Stateful High Availability provides the following benefits:
Improved reliability - By synchronizing most critical network connection information,
Stateful High Availability prevents down time and dropped connections in case of appliance
failure.
Faster failover performance - By maintaining continuous synchronization between the
Primary and Backup appliances, Stateful High Availability enables the Backup appliance to
take over in case of a failure with virtually no down time or loss of network connections.
Minimal impact on CPU performance - Typically less than 1% usage.
Minimal impact on bandwidth - Transmission of synchronization data is throttled so as
not interfere with other data.
How Does Stateful High Availability Work?
Stateful High Availability is not load-balancing. It is an active-idle configuration where the
Primary appliance handles all traffic. When Stateful High Availability is enabled, the Primary
appliance actively communicates with the Backup to update most network connection
information. As the Primary appliance creates and updates network connection information
(VPN tunnels, active users, connection cache entries, etc.), it immediately informs the Backup
appliance. This ensures that the Backup appliance is always ready to transition to the Active
state without dropping any connections.
The synchronization traffic is throttled to ensure that it does not interfere with regular network
traffic. All configuration changes are performed on the Primary appliance and automatically
propagated to the Backup appliance. The High Availability pair uses the same LAN and WAN
IP addresses—regardless of which appliance is currently Active.
When using SonicWALL Global Management System (GMS) to manage the appliances, GMS
logs into the shared WAN IP address. In case of a failover, GMS administration continues
seamlessly, and GMS administrators currently logged into the appliance will not be logged out,
however Get and Post commands may result in a timeout with no reply returned.