03-13-2012 07:58 AM
I have a question on Configuring stateful NAT on Juniper firewalls running HSRP on HA link. Does Juniper supports stateful NAT ?
2 * juniper firewall in cluster mode (active/standby) connected with HA links.
static NAT (MIP) is configured on the two firewall.
Initially the TCP traffic is going via the active firewall and gets NATed (TCP NAT). In case of active juniper fails, the standy becoms the active one. My question is what would happen to the TCP connection,
1. Do I need to re-stablish the session / application to reconnect ? OR
2. the second firewall will keep the session and NO discontinuity on the TCP communication ?
in short, does the juniper firewall support Stateful NAT ?
Appreciate your support.
03-14-2012 01:57 AM
Unlike Cisco any SSG model can synchronise virtually any Real Time Objects (RTOs). These are sessions, VPNs, DHCP-leases, ARP-entries, DPR routes etc, etc. You can find the NSRP RTO settings in the GUI under Network->NSRP->Synchronization. I recommend to select the first three options from the list.
You can selectively exclude the access policies from the synch to reduce the HA traffic and the CPU use. You can also deativate the static routes synch directly on the VRs (I have never needed this).
The TCP sessions, even the UDP streams, should not be re-established. But, you should take into account that any physical process takes a time, also a full NSRP failover. Besides, there is a surrounding infrastructure that should adjust itself to a new situation (eg. the MAC entries on the switch). Certain time-sensitive applications may need a connection restart.
03-16-2012 02:27 AM
Thanks Edouard for your answer.
As I understand, The NAT sessions are updated via the HA link between the two FWs. I understand your point than it also depends on the time sensitive application. I hope it could sustain 1000 msec ?
03-23-2012 09:04 AM
The cluster members send the heartbeats over the HA link. The default settings for the heartbeat processing are:
heartbeat lost threshold: 3 (this is also the minimal value)
heartbeat interval: 1000(ms) (the minimal value is 200 ms).
If the primary FW goes down the secondary FW will detect this in at least 600 ms. So, we can assume that the duration of the failover can be below 1000 msec.
If you activate interface monitoring on the primary device and one of the monitored interfaces goes down the failover may be even faster because the primary FW immediately changes its status and sends a message to the backup FW.