Salt/Pepper Design for VSDs?



  • Topology
        –-------------FW1---------------
        |              |                |
        |              |                |
    Resource A          HA              Resource B
        |              |                |
        |              |                |
        ---------------FW2---------------

    Requirements

    1. Utilize both of our SSG-550s.

    2. Asymmetric traffic flow - in case we have link failures

    Solution?

    1. Would like to have some VSDs active on FW1 and some VSDs active on the FW2.  I have gotten this part to work.  Will NOT be using a load balancer to feed traffic to the firewalls.

    2. IE FW1 link to Resource A fails along with FW2 link to Resouce B.  Traffic would need to traverse the HA link.  Not much luck here - traffic appears to just be dropped.

    Is the above possible?  SSG-550s running 6.0 r3.


  • Global Moderator

    If link to resource A fails, associated VSD should go down, if you configure interface monitoring and IP tracking the right way. So all traffic (for both VSD’s) goes through B. You need to configure unset flow tcp syn-check by the way.

    The HA secondary PATH is in fact, as I recall well, a third HA path. If both HA links fail backup device will try to “see” master over this path (normal data path, no layer 3 device will be crossed). Only when it doesn’t see this it will promote itself to master. This is there to prevent getting two masters (and so duplicate ip adresses) in the network. Anyway I realy don’t like the Active-Active solution. When possible I allways choose to work with a device fast enough to handle all traffic and make een active-passive set-up. This HA solution is the best and easiest to configure I’ve come across.

    Hope this helps a litlebit.


  • Engineer

    hi,

    if i understand it correct. this is not gona work.

    HA data link is there for traffic which is routed asymetric! this means for example.

    that traffic which came on FW1 for some reason then came back via FW2. then FW2 will route traffic back to FW1 (because he knows  it is traffic which is for FW1) via ha DATA link.

    GreetZ,
    Frac



  • If FW1 link to Resource A fails, FW2 link to Resource A is still live.  Same thing can be said about Resource B and so on.

    –--  X  ------FW1---------------
        |              |                |
        |              |                |
    Resource A          HA              Resource B
        |              |                |
        |              |                |
        ---------------FW2-----  X  -----

    In the above situation I would like to traffic between Resource A and B to flow like this:

    A > FW2 > HA > FW1 > B

    B > FW1 > HA > FW2 > A


  • Engineer

    hi,

    what is the big issue here?

    if link to resource A fails on fw1 (will the same path to A fail also on FW2?) if so there is a command “set nsrp master-always-exist” or something like that. this will make sure if the path on both firewalls fail, that the master will be Master instead of Inactive!

    if this is not what you mean could you explain in detail then.

    btw: normal 2 ha link didn’t work (because 1 gig link should do the ha control and data link)

    GreetZ,
    Frac



  • Ideally we would have two links from each FW to each resource but we can’t do that :x.

    Added a second gig link as the data link for HA - that did not work either.  Is the setup I am trying to get going something that is normally done?  I cant imagine most seeing multiple link failures as being an acceptable case to bring the entire FW down.

    I figure if there is a physical path for traffic to flow over - that path should be an option for data to flow over (if deemed ok by whoever is responsible for the routing/fw).

    Any ideas on how I can get this working?  Thanks.


  • Engineer

    hi,

    correct when using a gig link he will use it for both control and data.

    if you want a full HA in your situation i would do use redudante interface.

    this means you will have Active interface to resource A  via 2 different switches (so if resource A interface 1 fails he will use interface 2) => look in contept and example guide (full mesh A/A)

    i think that this is what you want.

    Because i dunno if your situation would work ok.

    GreetZ,
    Frac



  • Frac thanks for the reply.

    The interfaces (from FW1 and FW2) facing Resource A are in VSD1 and the interfaces facing Resource B are in VSD2.

    From what I have seen, VSDs are usually setup to include all the interfaces that traffic would flow through.  IE they do the ingress and egress interfaces - in my example that would be FW1 int to Resource A and int to Resource B would be in VSD1, FW2 int to to Resource A and int to Resource B would be in VSD2.  I don’t want to do this because multiple failures would bring traffic flow down (FW1 to A down and FW2 to B down).  BTW, when I say interface/int I am referring to a VSI.

    get nsrp

    nsrp link info:
    control  channel: ethernet0/3 (ifnum: 7)  mac: blahblahblah state: up
    data      channel: ethernet0/3 (ifnum: 7)  mac: blahblahblah state: up
    ha secondary path link not available

    Currently have one gigabit link for HA.  Control and Data looks like they should be using the same link.

    I will add a second link to HA and see what happens.  Will post back soon.  Thanks again.


  • Engineer

    hi,

    if you do A/A you need 2 HA links.

    do a “get nsrp” here you will see control link = interface, look if there is also data link = interface

    you need 2 x 100Mb link one for control and one for data. the data link will be used for the traffic that is coming to the wrong member (he will send it to correct member over this HA link)

    GreetZ,
    Frac


 

32
Online

38.4k
Users

12.7k
Topics

44.5k
Posts