Symantec™ Security Gateways Reference Guide - Sawmill

Ensuring availabilityLoad balancing131Load balancingTo help reduce potential congestion, the clustering routines monitor all connections that have beenassigned for failover. The security gateway sets an internal timer for these connections when established.If the connection does not last for at least 60 seconds, no state information is passed between nodes. Thismeans that short-lived connections that live less than 60 seconds do not fail over, even if failover isselected. This retired time is reduced by setting the appropriate advanced parameter, but always defaults tominimum of 30 seconds.A load balancing implementation that uses only the source and destination IP address to define aconnection employs a 2-tuple (two distinct items) algorithm. There is a disadvantage to using this type ofload balancing algorithm. Power users might connect to the same machine many times throughout the day.Because the source and destination IP address doesn’t change, their connections are always handled by thesame node because the algorithm always derives the same result.The Symantec approach uses a 5-tuple (five distinct items) algorithm based on the source and destinationIP addresses, the source and destination ports, and the protocol to determine which node to send packets.This more granular approach improves the cluster’s load balancing effectiveness. Notice that even for apower user, the user is no longer locked into one node. Even though the source and destination IP address,the destination port, and the protocol would most likely stay the same, the source port is random. Thismeans that for every new connection, the algorithm recalculates with at least one new parameter.Cluster administrationCreating a cluster, adding nodes to a cluster, and deleting nodes from a cluster are all handled through theCluster Wizard. Once a cluster has been created and defined, the status of the cluster is viewed using themonitoring page or through report generation. Cluster functionality is only available on systems licensedfor cluster support.Creating a new cluster and adding nodesWhen creating a new cluster, you can choose any free node to set up the cluster, and that node becomes thereference node. The hardware and network configuration of the reference node becomes the basis for allother nodes. The reference node is implicitly added to the cluster, since it is the node from which thecluster creation sequence was initiated.Once connected to the reference node, the user runs the cluster wizard. To build the cluster, new nodes areadded. A cluster has to have two machines at a minimum.When you choose to add a new node to the cluster, the reference node opens a secure managementconnection on port 2456 to the candidate node. The reference node then qualifies the candidate node,ensuring that the candidate node has the proper hardware configuration, has connections to the samenetworks as the reference node, is not a member of any other cluster, and has the proper cluster license.If the candidate node passes the qualification stage, the reference node notifies the candidate node that itmay join the cluster, and passes a small record to the candidate node. This record includes the clustername, cluster ID, IP address of the reference node, and fingerprint of the reference node certificate. Withthis information, the new node is now able to communicate on the heartbeat network with the referencenode. The secure connection between the reference node and the new node is closed as soon as thereference node executes a successful activate changes.