Symantec™ Security Gateways Reference Guide - Sawmill

130 Ensuring availabilityStateful failoverAuthoritative nodeHeartbeat networkThe authoritative node is the decision maker for which node handles the packet. This node employs thedefined algorithm to determine which machine should get the packet. Possible algorithms include roundrobinand least load. If the selected node is able to handle the packet, that node becomes the owner for allpackets in that connection. If the selected node is unable to handle a new connection, possibly due to highload, the packet is assigned to another node until accepted.The heartbeat network is the subnet the cluster uses to share state information. This is also the networkthe incident node uses to keep track of which machines are still up and viable candidates for packets.If licensed for HA/LB, the System Setup Wizard requires that you define the heartbeat network. Traffic onthe heartbeat network is not encrypted. You should choose a private network as the heartbeat, and separatethe heartbeat network from any other protected network to keep traffic to a minimum.The heartbeat network uses five ports for clustering. When configuring the cluster, the wizard asks for astarting port, and then chooses the next four consecutive ports for the five used. Ensure that you have notpicked a starting port that overlaps another port in use. There is no enforcement of the picked port, and ifanother service is operating on the port picked or derived, there may be conflicts.Warning: Do not enable IDS on the heartbeat network. This degrades the performance of both the clusterand the security gateway.Stateful failoverStateful failover is set up with a rule and is a best effort approach. The stateful failover routines use a UDPconnection to transmit information to other nodes in the cluster. Because there is no acknowledgementfrom the other nodes, there is no guarantee that each node in the cluster received the latest information. Tohelp address this, the cluster sends updates every minute, reducing the likelihood that one node may berequired to take over a connection without the correct information.Using a rule-based method to enable stateful failover lets an administrator configure failover for one typeof service, but not have failover for another. Tunnel connections employ stateful failover by default, andare the only connections that do not require a rule to enable stateful failover. In addition to tunnelconnections, stateful failover is applied to HTTP, FTP, Telnet, TCP GSP, and TCPAP GSP connections; theseconnection types have stateful failover disabled by default, and require a rule to enable.There is a penalty incurred when using stateful failover. With stateful failover enabled, new connectionsrequire a record in the state table, which is approximately 200 bytes in size. Because each state table isunique to its node initially, each state table must be propagated to all other nodes. Therefore, each node’sstate table grows by 200 bytes for each additional node in the cluster.Carefully consider the types of service to set for failover, and the types to let fail. For example, HTTPconnections are usually short-lived and numerous. For a large number of nodes in a cluster protecting theWeb server, enabling stateful failover causes each node to trigger broadcast traffic to disperse the stateinformation for each new connection. On very busy sites, this could significantly impact response time.For longer-lived connections, such as FTP or VPN tunnels, it makes sense to enable stateful failover. In fact,stateful failover is automatically enabled for VPN tunnels because the only state information shared is thePhase 1 ID, which produces minimal state traffic. In the event of a failover, the new node performs a Phase2 negotiation, transparent to the user. This may be seen as a small moment of unresponsiveness, but theconnection should come back and resume normally.