Hw t deply IVE Active-Active and Active-Passive clusters Overview Juniper Netscreen SA and SM series appliances supprt Active/Passive r Active/Active cnfiguratins acrss a LAN r a WAN t prvide high availability, increased scalability, and lad balancing capabilities. Yu define a cluster n ne IVE by cnfiguring: A name fr the cluster A passwrd fr the cluster members t share A name t identify the machine in the cluster After specifying this infrmatin n the System > Clustering > Create tab, yu click Create Cluster t initiate the cluster and add the current machine t the cluster. After creating the cluster, the Clustering page shws Status and Prperties tabs, which replace the riginal, Jin and Create tabs. The Status tab lists the cluster name, type, and cnfiguratin (active/active r active/passive), enables yu t specify new members and manage existing members, and prvides verall cluster status infrmatin. The Prperties tab enables yu t change the cluster name and set cnfiguratin, synchrnizatin, and health-check settings. After defining and initializing a cluster, yu need t specify which IVEs will be added t the cluster. After an IVE is identified as an intended member, yu may add it t the cluster thrugh the fllwing mdes. 1. Web cnsle If a cnfigured IVE is running as a stand-alne machine, yu can add it t a cluster thrugh its Web cnsle. 2. Serial cnsle If an IVE is in its factry-state, yu can add it t a cluster thrugh its serial cnsle by entering minimal infrmatin during initial setup. When an IVE jins a cluster, it initializes its state frm the existing member that yu specify. The new member sends a message t the existing member requesting synchrnizatin. The existing member sends the system state t the new member, verwriting all system data n that machine. After that pint, the cluster members synchrnize data when there is a state change n any member. Cluster member cmmunicatin is encrypted t prevent attacks frm inside the crprate firewall. Each IVE uses the shared passwrd t decrypt cmmunicatin frm anther cluster member. Fr security reasns, the cluster passwrd is nt synchrnized acrss IVEs. Nte: During synchrnizatin, the new nde receives the service package, which upgrades the nde if it is equipped with a Central Manager license and is running an lder service package. Cnfiguratin Create an IVE cluster: 1. Initialize the IVE cluster thrugh the System > Clustering > Create Cluster page f the Web Cnsle by defining the cluster name and adding the first/primary IVE t the cluster. 2. Add the names and IP addresses f future cluster IVEs t the primary IVE thrugh the System > Clustering > Status page f the Web Cnsle. 3. Ppulate the cluster with additinal IVEs as necessary thrugh the System > Clustering > Jin Cluster page f the Web Cnsle.
Deplying tw ndes in an Active/Passive cluster Yu can deply IVEs as a cluster pair in Active/Passive mde. In this mde, ne IVE actively serves user requests while the ther IVE runs passively in the backgrund t synchrnize state data, including system state, user prfile, and lg messages. User requests t the cluster VIP (virtual IP address) are passed t the active IVE. If the active IVE ges ff-line, the standby IVE autmatically starts servicing user requests. Users d nt need t sign in again, hwever sme IVE sessin infrmatin entered a few secnds befre the active machine went ff-line, such as ckies and passwrds, may nt have been synchrnized n the current IVE bx, in which case users may need t sign in t back-end Web servers again. The fllwing diagram illustrates an Active/Passive IVE cluster cnfiguratin using tw IVEs that have enabled external prts. Nte that this mde des nt increase thrughput r user capacity, but prvides redundancy t handle unexpected system failure. Active/Passive Cluster Pair Deplying tw r mre units in an Active/Active cluster In Active/Active mde, all the machines in the cluster actively handle user requests sent by an external lad balancer r Rund-Rbin DNS. The lad balancer hsts the cluster VIP and rutes user requests t an IVE defined in its cluster grup based n surce-ip ruting. If an IVE ges ff-line, the lad balancer adjusts the lad n the active IVEs. Users d nt need t sign in again, hwever sme IVE sessin infrmatin entered a few secnds befre the active machine went ff-line, such as ckies and passwrds, may nt have been synchrnized n the current IVE bx, in which case users may need t sign in t back-end Web servers again. The IVE cluster itself des nt perfrm any autmatic fail-ver r lad-balancing peratins, but it des synchrnize state data (system, user, and lg data) amng the cluster members. When an ff-line IVE cmes back nline, the lad balancer adjusts the lad again t distribute it amng all active members. This mde prvides increased thrughput and perfrmance during peak lad but des nt increase scalability beynd the ttal number f licensed users.
The IVE hsts an HTML page that prvides service status fr each IVE in a cluster. External lad balancers can check this resurce t determine hw t effectively distribute the lad amng all the cluster ndes. T perfrm the L7 Health Check fr a nde: Frm a brwser Enter the fllwing URL: https://<ive-hstname>/dana-na/healthcheck/healthcheck.cgi Using an external lad balancer Cnfigure a Health Check plicy that sends the fllwing request t cluster ndes: GET /dana-na/healthcheck/healthcheck.cgi HTTP/1.1\nHst: lcalhst The nde returns ne f tw values: 1. Cluster Enabled string this value means that the nde is active. 2. 500 this value dentes an errr and cluster IVEs stp frwarding user requests t the nde. Active/Active IVE cluster cnfiguratin in which the IVEs have enabled external prts. State Synchrnizatin: IVE state synchrnizatin ccurs nly via the internal netwrk interface cards (NICs), and each cluster member is required t pssess the cluster passwrd in rder t cmmunicate with ther members. Cluster members synchrnize data when there is a state change n any member. IVE cluster state data is either persistent permanently stred n the IVE r transient stred n the IVE nly fr the user s sessin. IVE state data is divided int the fllwing majr categries: 1. System state State is persistent and des nt change ften.
Netwrk settings Authenticatin server cnfiguratins Authrizatin grup cnfiguratins, such as access cntrl list, bkmark, messaging, and applicatin data 2. User Prfile - This data (bkmarks, persistent user ckies and persistent user passwrds) can be either persistent r transient, depending n whether r nt yu have enabled persistent ckies and persistent passwrd caching. 3. User Sessin - This state is transient and dynamic (IVE sessin ckie and ther user prfile infrmatin which is stred nly fr a sessin). 4. Mnitring state Persistent infrmatin cnsists f lg messages. Please nte that when yu add an IVE t a cluster, the cluster leader des nt send lg messages t the new member. Lg messages are als nt synchrnized between cluster members when ne member restarts its services r when an ff-line machine cmes back nline. Once all machines are nline, hwever, lg messages are synchrnized. Deplying a cluster in an Access Series FIPS envirnment In additin t sharing state, user prfile, user sessin, and mnitring state data, the members f an Access Series FIPS cluster als share security wrld data. All cluster members share the same private key and are accessible using the same administratr cards. Since changing a security wrld requires physical access t a cryptgraphic mdule, hwever, Access Series FIPS cluster members cannt share all f their data using the standard IVE synchrnizatin prcess. Instead, t create an Access Series FIPS cluster, yu must: 1. Create a cluster f Access Series FIPS machines thrugh the Web cnsle As with a standard IVE cluster, each cluster nde in an Access Series FIPS cluster is initialized using system state data frm the specified cluster member, verwriting all existing data n the nde machine. 2. Manually update the security wrld n each f the machines after creating a cluster, yu must initialize each cluster nde with the specified member s security wrld using an administratr card that is pre-initialized t the security wrld, a smart card reader, and the serial cnsle. Similarly, if yu want t mdify an existing security wrld n a cluster, yu must individually update each cluster member s cryptgraphic mdule using an administratr card, smart card reader, and the IVE serial cnsle. FAQs 1. A nde up and running appears in the WEB UI as unreachable Answer: A cluster member may appear as unreachable even when it is nline and can be pinged. Here are reasns why a nde can shw as unreachable: - its passwrd is incrrect. If the nde has never jined the cluster r if the passwrd has changed in between this might be a pssibility -it des nt knw abut all the ndes f the cluster -it has different grup cmmunicatin mde -it has a different versin 2. Bth my machines in the cluster are up and in a cluster but each indicate that the ther is unreachable. Answer: Check item #1. While the clusters seem the same they d have smething different, e.g. passwrd, versin etc 3. After I jin the machine t a running cluster my sessin times ut and I have t lgin again Answer: This is expected behavir. The member that jins the cluster get all its state (including the active sessins) verwritten by the state in the cluster. Therefre the sessin yu use t jin the cluster is clsed.
4. I created a cluster and added a nde but it appears as Unreachable. When I lgin t the ther machine it des nt appear t be member f the cluster Answer: It is nt enugh t just add a machine in the cluster in a machine already in the cluster. Yu als need t g t the machine that is being added t the cluster and use the jin UI t add the machine t the cluster. The IVE prvides such a UI in tw places: a) Part f the WEB UI b) part f the cnsle UI when a machine bts 5. What prtcls and prts are used fr clustering? Prtcl Prt When Purpse 4808 Clustering n, Always P2P encrypted cmmunicatin TCP/IP 4809 Clustering n, Always P2P clear text cmmunicatin 4900-4910 Fr a shrt perid during handshake Key exchange fr grup cmmunicatin, state sync where applicable UDP 4803 4804 Clustering On, always Clustering On, always Grup cmmunicatin Tken Heartbeat
6. In the cluster status page, when I hver the muse ver the status gif I see a hexadecimal number. What is the meaning f this number? Answer: The hexadecimal number is a snapsht f the status f the IVE. It is a bit mask indicating a number f states as shwn in the table belw. Each bit in the bit mask represents a sub state. Gd state 0x18004 n ne nde and 0x10004 n rest. Value 0x000001 0x000002 0x000004 0x000008 0x000100 0x000200 0x000800 0x001000 0x002000 0x004000 0x008000 0x010000 0x020000 0x040000 0x800000 0x100000 0x200000 Meaning IVE in standalne mde IVE in cluster disabled state IVE in cluster enabled state IVE is unreachable (because it is ffline, brken netwrk cnnectivity, passwrd mismatch, has different cluster definitin, sftware versin mismatch etc) IVE is syncing state frm anther IVE (initial syncing phase) IVE is transitining frm ne state t anther IVE eth0 appears discnnected (n carrier) IVE eth1 appears discnnected (n carrier) IVE is syncing its state t anther IVE that is jining Initial Synchrnizatin as master r slave is ging n This IVE is the leader f the cluster The spread daemn is running and the cache server is cnnected t it The gateway n eth0 is unreachable fr ARP pings (see lg file) The gateway n eth2 is unreacahble fr ARP pings (see lg file) Leader Electin is taking place Server Lifecycle prcess (dsmnd) is busy System is perfrming pst state synchrnizatin activities 7. Fr all incming https requests answered by the external VIP, what wuld be the surce IP and Mac Address fr the reply packets? Surce IP will be the VIP Address and the MAC address will be that f the active IVE that respnds. 8. Hw des lg synchrnizatin wrk in an IVE A/P cluster? If lg sync is enabled, nly the lgserver leader (nt necessarily the active nde) will send lgs t the syslg. The nn-leader will send its messages t the leader, thereby ensuring all messages end up at the syslg server. If sync is disabled, bth the ndes will independently send their messages t the syslg server.
Ntes: 9. Hw des the IVE decide the Lgserver leader and is there a way t identify the leader at a specific time? Cluster members use a number f heuristics t pick the cluster leader. The gal is t attempt t designate a nde that is expected t have the mst recent state abut the cluster as the leader. Fr the admin the easiest way t determine wh the leader f a cluster at any pint f time is t g t the System->Clustering->Status page and hver the muse ver the bullets under the "Status" clumn. When the muse hvers ver a bullet, the system will shw a hexadecimal number fr each bullet. The nde that has the 0x8000 bit n is the leader. There will be nly ne nde with this bit turned ON. In ther wrds, the furth least significant digit in the hexadecimal number fr any nde is any f 8, 9, a, b, c, d r e, then the nde is the leader. Upgrading clusters: 1. With Central Manager (Central Manager is a licensable feature) Central Manager will detect the upgrade f a single nde in the cluster, and upn its rebt/re-synch, it will instruct the ther ndes t upgrade themselves autmatically by sending them the service package. 2. Withut Central Manager T upgrade ndes in a cluster, the Admin shuld disable the clustered ndes, upgrade each nde individually, and after the ndes rebt, reenable them in the cluster. Restarting r rebting clustered ndes: When yu create a cluster f tw r mre IVEs, the clustered IVEs acts as a lgical entity. As such, when yu restart r rebt ne f the clustered IVEs using either the serial cnsle r the Web cnsle, all IVEs in the cluster restart r rebt. If yu want t restart r rebt nly ne IVE in a cluster, first use the cntrls n the System > Clustering > Status page t disable the IVE yu want t restart r rebt within the cluster. Next, use the cntrls n the Maintenance > System > Platfrm page, r the serial cnsle s Rebt/Shutdwn/Restart this IVE menu item, t restart r rebt the IVE. After the IVE restarts r rebts, enable the IVE within the cluster again.