Stateful Failover Technology White Paper

Stateful Failover Technology White Paper

Keywords: Stateful failover, master/backup mode, load balancing mode, data synchronization,

link switching

Abstract: A firewall device is usually the access point of a network. Once the firewall fails, a single

point of failure occurs and all the traffic will be interrupted. To avoid this, you can use the

stateful failover feature to ensure continuous data transmission. This document describes

the concepts, working mode, implementation and application scenarios of stateful failover.

Acronyms:

Acronym Full spelling

ALG Application Level Gateway

ASPF Application Specific Packet Filter

NAT Network Address Translator

VRRP Virtual Router Redundancy Protocol

OSPF Open Shortest Path First

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 1/15

 Stateful Failover Technology White Paper

Table of Contents

1 Overview......................................................................................................................................... 3
1.1 Background.......................................................................................................................... 3
1.2 Benefits ................................................................................................................................ 5

2 Operating Modes of Stateful Failover............................................................................................. 5

2.1 Active/Standby Mode........................................................................................................... 5
2.2 Load Balancing Mode .......................................................................................................... 6

3 Stateful Failover Implementation.................................................................................................... 7

3.1 Data Synchronization........................................................................................................... 7
3.2 Link Switchover.................................................................................................................... 8
3.2.1 Link Switchover Through VRRP................................................................................ 8
3.2.2 Link Switchover Through Dynamic Routing ............................................................ 10
3.3 Limitations.......................................................................................................................... 11

4 Stateful Failover Technology Characteristics of H3C................................................................... 12

5 Application Scenarios ................................................................................................................... 12

5.1 Stateful Failover Configuration Example (Routing Mode + Active/Standby Mode) ........... 12
5.2 Stateful Failover Configuration Example (Routing Mode + Load Balancing Mode) .......... 13
5.3 Stateful Failover Configuration Example (Transparent Mode + Load Balancing Mode) ... 14

6 References ................................................................................................................................... 15

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 2/15

 Stateful Failover Technology White Paper

1 Overview

1.1 Background

Continuous data transmission at key service entries and access points (such as the
Internet access point of an enterprise or a database server of a bank) must be
ensured. In Figure 1, only one firewall is deployed at the access point. If it fails,
services between the internal and external networks will be interrupted.

Figure 1 Network diagram for a single point failure

To avoid such single point of failures, the traditional backup network solution deploys
multiple devices (routers or forwarding devices only) at the access point for service
backup and link switchover. Once the active device fails, traffic will switch to a
standby device through VRRP or a dynamic routing protocol. In such a network,
packets are forwarded based on the forwarding table; however, if stateful firewalls are
deployed at the access point, packets need to match session entries before they can
pass. Typically, the active firewall checks the first packet of a session, and then
creates a session entry (including the source IP address/port number and destination
IP address/port number of the packet) if it permits the packet to pass. Subsequent

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 3/15

 Stateful Failover Technology White Paper

packets matching the session entry can pass through the firewall. After link
switchover, the packets may not find the session entry on the standby device and
thus cannot pass through the firewall.

The stateful failover solution can solve the problem. In a stateful failover network, the
firewall devices synchronize session information before link switchover. If the active
device fails, service traffic is switched to the standby device to ensure session
continuity. In Figure 2, two firewalls are deployed at the access point. If Firewall 1 fails,
the service traffic is switched to Firewall 2. Because Firewall 2 has performed data
synchronization with Firewall 1, the current service is not interrupted, and the network
stability and reliability are improved.

Internet

Firewall 1 Firewall 2

Private network

Subnet 1: 192.168.1.1/24 Subnet 2: 192.168.2.1/24

Figure 2 Network diagram for stateful failover

Stateful failover can be regarded as a solution to solve single point failure by data
synchronization and link switchover; it can also be regarded as a funtional module
(because it only implements data synchronization) that can be configured through the
web interface. This manual describes stateful failover from the first perspective.

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 4/15

 Stateful Failover Technology White Paper

1.2 Benefits

Compared with the traditional backup network solution, the stateful failover solution:

z Avoids service interruption upon a single point failure.

z Supports two operating modes (active/standby mode and load balancing mode)
and two firewall working modes (routing mode and transparent mode), making
the solution applicable to complicated network requirements.

The routing mode indicates the firwall works as a Layer 3 device, and the transparent
mode indicates the firwall works as a Layer 2 device on the network.

2 Operating Modes of Stateful Failover

The stateful failover solution supports two operating modes, namely active/standby
and load balancing. In the two modes, a device that forwards traffic is the active
device, and a device that does not forward traffic is a standby device.

2.1 Active/Standby Mode

If two firewalls are in the active/standby mode, one firewall acts as the active device,
and the other firewall acts as the standby device. The active device processes all
services and synchronizes session information to the standby device. The standby
firewall serves as the backup and does not process services. In Figure 3, Firewall 1
processes all services and Firewall 2 is used for backup. When Firewall 1 fails,
Firewall 2 takes over the services, as shown in Figure 4, thus ensuring the
establishment of new sessions and the continuity of the current sessions.

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 5/15

 Stateful Failover Technology White Paper

Trust zone Session entries

Firewall 1

Untrust zone

Firewall 2 Session entries

Actual link

Packet path
DMZ zone

Figure 3 Network diagram for sessions before Firewall 1 fails (in active/standby mode)

Trust zone
Firewall 1

Untrust zone

Firewall 2 Session entries

Actual link

Packet path
DMZ zone

Figure 4 Network diagram for sessions after Firewall 1 fails (in active/standby mode)

2.2 Load Balancing Mode

If two firewalls are in the load balancing mode, both devices are active to forward
traffic and back up the session information of each other. In Figure 5, both Firewall 1
and Firewall 2 process traffic and serve as the backup of each other. When Firewall 1

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 6/15

 Stateful Failover Technology White Paper

fails, Firewall 2 takes over all services, as shown in Figure 4, thus ensuring the
establishment of new sessions and the continuity of the current sessions.

Trust zone Session entries

Firewall 1

Untrust zone

Firewall 2 Session entries

Actual link

Packet path
DMZ zone

Figure 5 Network diagram for sessions before Firewall 1 fails (in load balancing mode)

3 Stateful Failover Implementation

3.1 Data Synchronization

A firewall maintains the information of each session. After the standby device takes
over the services of the active device, it must have correct session information to
process session packets; otherwise, session packets are discarded and sessions are
terminated. Therefore, upon the establishment of new session entries or session
entry changes, the active device needs to synchronize the information to the standby
device for session information consistency. The information that a firewall can
synchronize includes: session, NAT, ALG, ASPF, black list, H.323, SIP, ILS, RTSP,
NBT, and SQLNET.

The data synchronization method can be either of the following:

z Batch backup. After a firewall works for a period of time, a large number of
session entries are generated. Then you can deploy another firewall and enable
stateful failover on both firewalls. The session entries will be synchronized to

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 7/15

 Stateful Failover Technology White Paper

the newly added device at one time. This process is called batch backup.
z Real-time backup. Upon the establishment of new session entries or session
entry changes, the active firewall synchronizes session information to the
standby device in real time for session information consistency. This process is
called real-time backup.

3.2 Link Switchover

The stateful failover solution uses VRRP or a dynamic routing protocol to implement
link switchover.

3.2.1 Link Switchover Through VRRP

You can configure a group of devices in a LAN as a VRRP group, which functions as
a virtual device. Hosts in the LAN can communicate with other networks through the
virtual device. In the VRRP group, only one device is active to forward packets, which
is called the master; other devices are in standby state, which are called backups and
are ready to take over services based on the device priorities. When the master fails,
the device with the highest priority is elected as the new master and takes over
services. Thus, a link switchover is completed and is totally transparent to users.

Through network and VRRP configurations, you can implement the active/standby or
load balancing mode of stateful failover.

z In the active/standby mode, only one VRRP group is required. The firewalls in
the VRRP group have different priorities and the one with the highest priority is
the master. As shown in Figure 6, create VRRP group 1 on Firewall 1 and
Firewall 2, and configure a higher priority for Firewall 1. Configure the default
gateway of Host A and Host B as the virtual IP address 172.17.1.200/24 of
VRRP group 1. If Firewall 1 works normally, it forwards packets of Host A and
Host B and Firewall 2 serves as backup in monitoring state; if Firewall 1 fails,
Firewall 2 becomes the master and forwards packets of Host A and Host B.

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 8/15

 Stateful Failover Technology White Paper

Public network

Firewall 1 Stateful failover link Firewall 2

GE0/1 GE0/1

VRRP group 1
Master Virtual IP address: Backup
172.17.1.200//24

Private network

Host A Host B
IP: 172.17.1.10/24 IP: 172.17.1.129/24
Gateway: 172.17.1.200 Gateway: 172.17.1.200

Figure 6 Link switchover through VRRP (in active/standby mode)

z In the load balancing mode, two VRRP groups are required. One firewall serves
as the master in VRRP group 1 and the other firewall serves as the master in
VRRP group 2. As shown in Figure 7, create VRRP group 1 and VRRP group 2
on Firewall 1 and Firewall 2 respectively, and configure a higher priority for
Firewall 1 in VRRP group 1 and a higher priority for Firewall 2 in VRRP group 2.
Configure the default gateway of Host A as the virtual IP address
172.17.1.200/24 of VRRP group 1, and that of Host B as the virtual IP address
172.17.1.201/24 of VRRP group 2. If Firewall 1 works normally, it forwards
packets of Host A and Firewall 2 forwards packets of Host B to implement load
balancing. They serve as backups and monitor the state of each other. If
Firewall 1 fails, Firewall 2 becomes the master in VRRP group 1 and forwards
packets of Host A and Host B.

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 9/15

 Stateful Failover Technology White Paper

Figure 7 Link switchover through VRRP (in load balancing mode)

3.2.2 Link Switchover Through Dynamic Routing

If devices A and B located on separate networks are reachable through multiple paths,
the dynamic routing protocol selects an optimal path by route calculation. If the path
fails, the routing protocol selects an optimal path from the rest of the paths, and the
failed route is used after recovery. Thus, the connectivity between A and B is ensured.

Through network and dynamic routing configurations, you can implement the
active/standby or load balancing mode of stateful failover. (The following network
diagram takes OSPF as example.)

z In the active/standby mode, one firewall is active and the other firewall is in the
backup state. As shown in Figure 8, enable OSPF on Router A, Router B,
Firewall 1 and Firewall 2, configure them to be in the same OSPF domain, and
configure the cost value of Ethernet 1/1 to be greater than that of Ethernet 1/2
on both Router A and Router B. Then, the path Router A<—>Firewall 1<—
>Router B has a higher priority than the path Router A< — >Firewall 2< —

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 10/15

 Stateful Failover Technology White Paper

>Router B. If Firewall 1 works normally, packets from the private network are
forwarded by Firewall 1 to the Internet; if Firewall 1 fails, packets from the
private network are forwarded by Firewall 2 to the Internet.
z In the active/standby mode, both firewalls are active and serve as the backup of
each other. As shown in Figure 8, enable OSPF on Router A, Router B, Firewall
1 and Firewall 2, configure them to be in the same OSPF domain, and configure
Router A and Router B to support at least two equal-cost routes. Because the
path Router A<—>Firewall 1<—>Router B has the same priority as the path
Router A<—>Firewall 2<—>Router B, packets from the private network are
forwarded by both Firewall 1 and Firewall 2 to the Internet; if Firewall 1 fails,
packets from the private network are forwarded by Firewall 2 to the Internet.

Internet

OSPF
Router A
Eth1/1 Eth1/2

Firewall 1 Firewall 2

Eth1/1 Eth1/2
Router B

Private network

Figure 8 Link switchover through OSPF

3.3 Limitations
z Stateful failover supports only two devices.
z The hardware configuration and software version must be consistent on the two
devices, and the interface cards on the corresponding slot must be consistent;
otherwise, the device may fail to recognize or fail to find related physical
resources of the information backed up from the other device, resulting in

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 11/15

 Stateful Failover Technology White Paper

packet forwarding error or failure after link switchover.

z Stateful failover supports data synchronization only and does not support
configuration synchronization. Therefore, if you make some configurations
(such as interface type, VLAN that permitted to pass the interface) on one
device, you need to make the same configurations on the other device.

4 Stateful Failover Technology Characteristics of

H3C
z Stateful failover backs up only session information to ensure session continuity
after link switchover. Link switchover is implemented by using traditional backup
technologies (such as VRRP and dynamic routing protocols), which are flexible
in application and adaptable to various network environments.
z Stateful failover backs up session information through dedicated interfaces that
are not used for forwarding, thus featuring high reliability and performance.

5 Application Scenarios

5.1 Stateful Failover Configuration Example (Routing Mode

+ Active/Standby Mode)

As shown in Figure 9, Firewall and Firewall 2 are deployed at the access point
between the private network and public network, and are working in routing mode. It
is required that: If Firewall 1 works normally, Host A and Host B access Server 1
through Firewall 1; if Firewall 1 fails, Host A and Host B access Server 1 through
Firewall 2 and the ongoing sessions between Host A and Server 1, Host B and
Server 1 are not interrupted.

To meet the requirement, you can configure VRRP group 1 for monitoring the down
links and VRRP group 2 for monitoring the uplinks on Firewall 1 and Firewall 2, and
enable data synchronization between the two firewalls.

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 12/15

 Stateful Failover Technology White Paper

Server 1
IP: 100.0.0.100/24
Gateway: 100.0.0.200/24

L2 switch A

Master VRRP group 2

Backup
Virtual IP address:
100.0.0.200//24
GE1/3 GE1/3
100.0.0.1/24 100.0.0.2/24
Stateful failover link
Firewall 1 Firewall 2
GE0/1 GE0/1
GE1/2 GE1/2
172.17.1.101/24 172.17.1.102/24
VRRP group 1
Master Virtual IP address: Backup
172.17.1.200//24

L2 switch B L2 switch C

Host A Host B
IP: 172.17.1.10/24 IP: 172.17.1.129/24
Gateway: 172.17.1.200 Gateway: 172.17.1.200

Figure 9 Network diagram for stateful failover (implementing link switchover through VRRP)

5.2 Stateful Failover Configuration Example (Routing Mode

+ Load Balancing Mode)

As shown in Figure 10, Firewall 1 and Firewall 2 are deployed at the access point
between the private network and public network, and are working in routing mode. It is
required that: If Firewall 1 works normally, Host A accesses Server 1 through Firewall 1
and Host B accesses Server 1 through Firewall 2 for load balancing; if Firewall 1 fails,
Host A and Host B access Server 1 through Firewall 2 and the ongoing sessions between
Host A and Server 1, Host B and Server 1 are not interrupted.

To meet the requirement, you can configure OSPF on Router A, Router B, Router C,
Router D, Firewall 1 and Firewall 2, and enable data synchronization between the two
firewalls.

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 13/15

 Stateful Failover Technology White Paper

Server 1

202.100.1.101/24 202.100.1.100/24

OSPF GE1/3 GE1/3

202.100.1.1/24 202.100.1.2/24
GE1/2
20.10.10.1/24
Router C Router D
GE1/2
GE1/1 20.10.10.2/24 GE1/1
172.17.1.1/16 172.17.2.2/16

GE1/1 GE1/1
172.17.1.101/16 172.17.2.102/16
Stateful failover link
Firewall 1 Firewall 2
GE1/3 GE1/3
172.16.1.101/24 172.16.2.102/24

GE1/3 GE1/3
172.16.1.1/24 172.16.2.2/24

Router A Router B

GE1/1 GE1/1
192.168.1.1/24 192.168.2.2/24

192.168.1.100/24 192.168.2.101/24

Host A Host B

Figure 10 Network diagram for stateful failover (routing mode + load balancing mode)

5.3 Stateful Failover Configuration Example (Transparent

Mode + Load Balancing Mode)

As shown in Figure 11, Firewall and Firewall 2 are deployed at the access point
between the private network and public network, and are working in transparent
mode (Layer 2 mode). It is required that: If Firewall 1 works normally, Host A
accesses Server 1 through Firewall 1 and Host B accesses Server 1 through Firewall
2 for load balancing; if Firewall 1 fails, Host A and Host B access Server 1 through
Firewall 2 and the ongoing sessions between Host A and Server 1, Host B and Sever
1 are not interrupted.

To meet the requirement, you can configure VRRP group 1 and VRRP group 2 (both
for load balancing and monitoring the down link) on Router A and Router B, and

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 14/15

 Stateful Failover Technology White Paper

enable data synchronization between Firewall 1 and Firewall 2.

Server 1
IP: 100.0.0.1/24

L2 switch C

Route A Route B

VRRP group 2
Backup Virtual IP address: Master
172.17.1.201//24

VRRP group 1
Master Virtual IP address: Backup
172.17.1.200//24

Firewall 1 Firewall 2
GE0/1 Stateful failover link GE0/1

L2 switch A L2 switch B

Host A Host B
IP: 172.17.1.10/24 IP: 172.17.1.129/24
Gateway: 172.17.1.200 Gateway: 172.17.1.201

Figure 11 Network diagram for stateful failover (transparent mode + load balancing mode)

6 References
Stateful Failover Configuration Examples

Copyright ©2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou

H3C Technologies Co., Ltd.

The information in this document is subject to change without notice.

Hangzhou H3C Technologies Co., Ltd. www.h3c.com. 15/15