In an Active/Passive HA Pair, are Existing Sessions Sync-ed When the Passive Device is Added/Rebooted?
Resolution
Overview
The environment has a single firewall capable of being configured in High Availability (HA). When adding a second firewall and configuring both to be in the same HA group, will the current sessions on the existing firewall be synced to the new passive device?
Details
When the second firewall is configured for High Availability (HA) and added to the group, it begin in the INITIAL state. Once the device has finished initializing and HA control links are established, the firewall will transition to the PASSIVE state. Once the firewall is in the PASSIVE state, it begins receiving session synchronization information for *ALL* sessions (except ICMP) on the active device. Note that this will happen only if there is not a failure condition which prevents the firewall from becoming functional. The diagram below shows the possible state transitions from INITIAL for the second firewall in the scenario above.
If the firewall transitions to the PASSIVE state, it receives session information for the current sessions on the active firewall, as well as any new sessions that are created. For example, the following output shows the session tables of the two firewalls. Note that while the number of sessions is the same, the individual session IDs for each firewall will be different.
| Existing Firewall (Active) | Second Firewall (passive) |
|---|---|
admin@Firewall1(active)> show session all -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 46743 dns ACTIVE FLOW NS 192.168.83.250[64193]/L3-Trust/17 (10.30.6.83[11659]) vsys1 4.2.2.2[53]/L3-Untrust (4.2.2.2[53]) 46744 ntp ACTIVE FLOW 192.168.83.250[123]/V-Trust/17 (192.168.83.250[123]) vsys1 17.171.4.36[123]/V-Untrust (17.171.4.36[123]) 45039 web-browsing ACTIVE FLOW NS 192.168.83.138[1536]/L3-Trust/6 (10.30.6.83[32177]) vsys1 74.125.239.136[80]/L3-Untrust (74.125.239.136[80]) 46565 ldap ACTIVE FLOW NS 192.168.83.138[1603]/L3-Trust/17 (10.30.6.83[27608]) vsys1 192.168.123.122[389]/L3-Untrust (192.168.123.122[389]) 45904 web-browsing ACTIVE FLOW 192.168.83.250[49587]/V-Trust/6 (192.168.83.250[49587]) vsys1 74.125.239.40[80]/V-Untrust (74.125.239.40[80]) 46742 dns ACTIVE FLOW 192.168.83.250[64193]/V-Trust/17 (192.168.83.250[64193]) vsys1 4.2.2.2[53]/V-Untrust (4.2.2.2[53]) 46745 ntp ACTIVE FLOW NS 192.168.83.250[123]/L3-Trust/17 (10.30.6.83[57714]) vsys1 17.171.4.36[123]/L3-Untrust (17.171.4.36[123]) 45040 web-browsing ACTIVE FLOW NS 192.168.83.138[1537]/L3-Trust/6 (10.30.6.83[33599]) vsys1 74.125.239.136[80]/L3-Untrust (74.125.239.136[80]) 45906 web-browsing ACTIVE FLOW NS 192.168.83.250[49587]/L3-Trust/6 (10.30.6.83[4051]) vsys1 74.125.239.40[80]/L3-Untrust (74.125.239.40[80]) 46250 ldap ACTIVE FLOW 192.168.122.59[4685]/V-Untrust/17 (192.168.122.59[4685]) vsys1 192.168.123.122[389]/V-Trust (192.168.123.122[389]) 46555 ms-ds-smb ACTIVE FLOW 192.168.83.250[49745]/V-Trust/6 (192.168.83.250[49745]) vsys1 192.168.83.138[445]/V-Untrust (192.168.83.138[445]) | Firewall2(passive)> show session all ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 17 dns ACTIVE FLOW NS 192.168.83.250[64193]/L3-Trust/17 (10.30.6.83[11659]) vsys1 4.2.2.2[53]/L3-Untrust (4.2.2.2[53]) 18 ntp ACTIVE FLOW 192.168.83.250[123]/V-Trust/17 (192.168.83.250[123]) vsys1 17.171.4.36[123]/V-Untrust (17.171.4.36[123]) 1 web-browsing ACTIVE FLOW NS 192.168.83.138[1536]/L3-Trust/6 (10.30.6.83[32177]) vsys1 74.125.239.136[80]/L3-Untrust (74.125.239.136[80]) 6 ldap ACTIVE FLOW NS 192.168.83.138[1603]/L3-Trust/17 (10.30.6.83[27608]) vsys1 192.168.123.122[389]/L3-Untrust (192.168.123.122[389]) 8 web-browsing ACTIVE FLOW 192.168.83.250[49587]/V-Trust/6 (192.168.83.250[49587]) vsys1 74.125.239.40[80]/V-Untrust (74.125.239.40[80]) 16 dns ACTIVE FLOW 192.168.83.250[64193]/V-Trust/17 (192.168.83.250[64193]) vsys1 4.2.2.2[53]/V-Untrust (4.2.2.2[53]) 19 ntp ACTIVE FLOW NS 192.168.83.250[123]/L3-Trust/17 (10.30.6.83[57714]) vsys1 17.171.4.36[123]/L3-Untrust (17.171.4.36[123]) 10 web-browsing ACTIVE FLOW NS 192.168.83.138[1537]/L3-Trust/6 (10.30.6.83[33599]) vsys1 74.125.239.136[80]/L3-Untrust (74.125.239.136[80]) 11 web-browsing ACTIVE FLOW NS 192.168.83.250[49587]/L3-Trust/6 (10.30.6.83[4051]) vsys1 74.125.239.40[80]/L3-Untrust (74.125.239.40[80]) 12 ldap ACTIVE FLOW 192.168.122.59[4685]/V-Untrust/17 (192.168.122.59[4685]) vsys1 192.168.123.122[389]/V-Trust (192.168.123.122[389]) 13 ms-ds-smb ACTIVE FLOW 192.168.83.250[49745]/V-Trust/6 (192.168.83.250[49745]) vsys1 192.168.83.138[445]/V-Untrust (192.168.83.138[445]) |
owner: cstancill