Symantec™ Security Gateways Reference Guide - Sawmill

Ensuring availabilityCluster components129Bullfrog daemonVirtual IP addressesPeriodically, each node in the cluster announces the revision it currently has, including that node’s clusterID and revision timestamp. The most current revision is chosen, and the node with that revision becomesthe reference node. The synchawk daemon on each other node then pulls down the configuration from thereference node. Synchronization algorithms ensure that even if the system time on each node is different,the most current configuration is always selected.The bullfrog daemon provides state sharing among nodes in the cluster, and continuously updates driverstate information received from other nodes. Bullfrog also periodically pings other cluster nodes andmaintains a table of which nodes are still active and can receive packets.All configured network adapters have a unique physical IP address. Routing protocols prohibit two networkadapters on a connected network from sharing the same IP address. In fact, most operating systemsannounce when two separate adapters sharing the same IP address are detected.Each node maintains an ARP table that is used to map the IP addresses of other interfaces to theirrespective MAC addresses. As soon as an interface is configured, an entry containing the MAC address andIP address for the interface is placed in the ARP table. When ARPs and RARPs are broadcast on thenetwork, each node looks at the information in its ARP table, and if the adapter information matches therequest, that node answers. This is how each node on a network understands where to route packets to.Symantec’s cluster implementation uses virtual addresses to direct traffic. When a VIP is created, anadapter entry is placed in the routing table of each node in the cluster. Unlike physical network adapterrecords, the virtual adapter record on each node can and does contain the same IP address.Each machine in the cluster shares the same virtual IP address for a given subnet, and is viewed as apotential candidate to receive packets. If one security gateway goes down, another security gateway canassume control and handle any new requests, providing continued connectivity to your network. All of thisis done without having to change or reassign default gateways on any hosts. All hosts point to the VIP, andnot the real IP address of a given node.Because the VIP is assigned to a subnet, all of the nodes in the cluster on that subnet have the same virtualadapter. With load balancing configured, the cluster spreads out the connections more evenly over severaldifferent machines instead of always sending requests to one machine. This makes more efficient use ofyour network resources.Incident nodeEven though each node in the cluster has the same virtual adapter information, only one node canphysically own the VIP at any given time. If this didn’t happen, packets wouldn’t understand to whichsecurity gateway they were supposed to go. When the VIP is established, internally, a node is chosen toanswer ARP requests. This node is referred to as the incident node.The incident node is responsible for maintaining a handle on the current condition of each of the nodes inthe cluster, which includes tracking the nodes that need to be updated with state information. The incidentnode also bears the responsibility of directing incoming packets to the authoritative node. If a failureoccurs on the incident node, another node in the cluster is automatically assigned control of the VIP andbecomes the incident node.When a packet arrives at the incident node, it is checked against the known connection list in thesymmetric routing table. If an entry exists, the packet is processed on that node. If there is no entry, theincident node employs a hash algorithm to determine which node is authoritative for the connection. Thehash algorithm assigns the numbers 0 - 31 as evenly as possible to all nodes in the cluster. With only twonodes, for example, the first machine is assigned the numbers 0 - 15, and the second node receives 16 - 31.The assignment pools grow smaller for each additional node added. Once the target node is determined, anew entry is placed in the symmetric routing table, and the packet is then directed to that node.