Tip
This is the documentation for the 25.06 version. Looking for the documentation of the latest version? Have a look here.
VPF High Availability¶
VPF can optionally synchronize connection state information between peer firewalls, such as members of a high availability (HA) cluster.
This allows multiple TNSR instances using VRRP to continue passing packets for open and ongoing stateful connections if a node fails. This includes VPF NAT translations as well as VPF filter rules with the stateful keyword.
Requirements¶
VPF HA sends and receives state data using UDP and requires specific defined peers. Peers can utilize either IPv4 or IPv6. This data is stateless and the sender does not check for nor does it get any indication that the peer received the data.
Warning
TNSR does not perform bulk updates of state data at startup. If a peer restarts it will not have any state data, but it will be re-created over time as the other peers deliver update messages.
Interface Names¶
VPF HA correlates state data between nodes by interface name. This means that either the hardware on all peers must have identical interfaces or all peers must use identical custom interface names.
See also
VPF HA Traffic Isolation¶
The best practice is to isolate VPF HA state synchronization traffic on a separate interface or dedicated VLAN. Isolation provides security and it also separates the bandwidth used for state synchronization from interfaces processing other traffic. Using an isolated interface also allows the interface counters to double as an indication that VPF HA is exchanging data with its peers.
Warning
VPF does not support authentication for HA state synchronization traffic. If VPF HA is configured to import states from a host on a shared network, it is possible for a user with access to that shared network to manipulate the state table. For example, they could insert states into the state table to bypass filtering or delete states to disrupt active connections.
VPF HA Memory Requirements¶
VPF HA synchronizes manual connection state clear actions to peers
and this bulk action allocates additional memory.
The exact amount of memory VPF HA allocates to handle this action depends on the
number and type of connection states. Each IPv4 connection state requires 48
bytes and each IPv6 connection state requires 96 bytes. For example, on a
device with 10 million IPv6 connections, VPF HA allocates approximately
960 MiB of additional memory to process a clear vpf connections command.
See also
Configuration¶
To configure VPF HA, start in config mode and issue the vpf ha command.
This changes into config-vpf-ha mode where the following commands are
available:
- importer:
Defines a peer from which this node will receive state data.
- local-address <address>:
The IPv4 or IPv6 address on this node which will receive state data.
- local-port <port>:
The destination UDP port on this node which will receive state data.
- remote-address <address>:
The IPv4 or IPv6 address on the peer which is sending state data.
- remote-port <port>:
The source UDP port on packets from the peer which is sending state data.
- exporter:
- local-address <address>:
The IPv4 or IPv6 address on this node from which it will send state data.
- local-port <port>:
The source UDP port on packets sent by this node.
- remote-address <address>:
The IPv4 or IPv6 address on the peer to which this node will send state data.
- remote-port <port>:
The destination UDP port on the peer to which this node will send state data.
- mtu <size>:
The maximum size for synchronization packets created by VPF HA.
Note
The port numbers are arbitrary and are not bound in a traditional way. Use whichever ports best suit the environment, so long as they align properly with the settings on the peer.
Danger
Do not use stateful on VPF filter rules matching VPF HA synchronization
packets. Tracking state on these rules will cause VPF HA to enter a loop
updating the peer with data about its own state synchronization traffic which
will consume large amounts of resources.
Manual Export¶
VPF can export state data on demand with the following command:
tnsr# trigger vpf ha-export
Users may want to run this after restarting a node, for example. This would ensure both nodes have fully synchronized their state data rather than waiting for the data to populate over time.
Status¶
The show vpf ha command displays the current active VPF importers and
exporters:
tnsr# show vpf ha
High-availability:
Importer:
Local address: 10.28.1.1
Local port: 8000
Remote address: 10.28.1.2
Remote port: 9000
Exporter:
Local address: 10.28.1.1
Local port: 9000
Remote address: 10.28.1.2
Remote port: 8000
MTU: 1500
See also
A handy way to confirm that VPF HA is working is to check the connection
state data on peer(s) with VRRP addresses in a backup state using
show vpf connections. If a node in the backup
state has connection data but is not actively processing those packets, then
VPF HA has received that state data from the active node.
Example¶
This example configuration exchanges state data between two peers,
10.28.1.1 and 10.28.1.2. The peers send state data from UDP port
9000 and receive it on port 8000.
r1 tnsr(config)# vpf ha
r1 tnsr(config-vpf-ha)# importer local-address 10.28.1.1 local-port 8000
remote-address 10.28.1.2 remote-port 9000
r1 tnsr(config-vpf-ha)# exporter local-address 10.28.1.1 local-port 9000
remote-address 10.28.1.2 remote-port 8000 mtu 1500
r1 tnsr(config-vpf-ha)# exit
r2 tnsr(config)# vpf ha
r2 tnsr(config-vpf-ha)# importer local-address 10.28.1.2 local-port 8000
remote-address 10.28.1.1 remote-port 9000
r2 tnsr(config-vpf-ha)# exporter local-address 10.28.1.2 local-port 9000
remote-address 10.28.1.1 remote-port 8000 mtu 1500
r2 tnsr(config-vpf-ha)# exit
See also
See VRRP with VPF Filtering and Outside NAT for a more complete example of HA using VRRP and VPF HA.