The High Availability part allows to set a cluster between WAF to insure high availability of your applications. Few high availability modes are available :
- the Active/Active mode: traffic is load balanced on different WAF.
- the Active/Passive mode: the traffic in handle by one WAF and an other WAF (failover) is available in case of failure.
High Availability modes
The Active/Active mode allows to spread a tunnel traffic over different WAF of a cluster. If a WAF is no more available, traffic will continue on the other WAF tunnels.
A traffic initiated by a client will always go through the same tunnel of the same WAF to keep essential information, like authentication sessions. The load balancing is done by a keepalived service.
A HA Active/Active cluster must have at least one virtual address IP and two VRRP members attached to this IP.
The Active/Passive mode allows a tunnel redundancy on different WAF of a cluster. One member is active at a time. In case of failure of the primary tunnel, the traffic will be redirected to the secondary tunnel (failover). If the primary tunnel is up again, the traffic will be redirected on this one.
A HA Active/Passive cluster must have at least one virtual address IP and two VRRP members attached to this IP.
VRRP cluster Presentation
A VRRP cluster is a virtual entity which is defined mainly through the use of a Cluster ID (or VRID), a unique digital identifier between 1 and 254. The members of the VRRP cluster communicate using this Cluster ID via multicast packets. The cluster has virtual IP (VIP) addresses, that is, addresses that are created/deleted in response to events in the cluster.
At a given moment, only a single member has (a) listening VIP address(es). In case of failure of the member with VIP(s), another member takes over and creates the VIP address(es) so that the service can continue to operate.
The operation of VRRP is based on regularly sending multicast packets by the MASTER member, with failover when the BACKUP members are no longer receiving the multicast packets (a sign that there is probably a problem on the MASTER). Other conditions and tests can be added to determine if failover is necessary. That is the role of the different "...Tracking" options for the VRRP cluster and the Tracked devices and Tracked metrics settings of the VRRP Members.
Creating a cluster
- Type: choice between Active/Active and Active/Passive mode (more informations about those modes are available above).
- Name: name of the cluster.
- Cluster ID: A unique digital identifier; must be between 1 and 254.
The Cluster ID must be unique on the network. Assigning an existing Cluster ID will result in unpredictable behavior of your VRRP cluster. The main symptoms are an absence of failover after a failed availability test and unavailability of the VIP. If no value is entered for the Cluster ID, the first available value in increasing order is assigned to it, starting with ID 176 (included).
- Enable no preempt mode: modify the switch behavior between members. If disabled (by default), the active member will change if an other member has a higher priority. If enabled, the active member will stay active as long as it stay available.
- Frequency: the interval (in seconds) between availability checks of members.
- Use Administration device advertisement : Not checked (default), the multicast vrrp paquet is sends by the vip device, if checked, the multicast is sends by administration device.
- Automatic device Tracking (Active/Passive mode): availability test the network card, additional to the VRRP tracking. Tests are done on network interfaces where the VIP is set. This option applies on all VRRP members from the cluster. It can also be set on each VRRP members (through the option Device tracking).
- Process Tracking (Active/Passive mode): availability test on the Reverse Proxy process.
- WAM Engine Tracking (Active/Passive mode): availability test on the WAM engine.
Active/Passive mode - Availability test
Failure of an availability test will trigger a failover. The members of the cluster will designate the member that will re-establish the VIP(s).
The drop-down menu presents a list of clusters. Selecting a cluster accesses its configuration: