Nokia IPSO 4.0 manual 242

5

„Configure state synchronization:

„Enable state synchronization and configure interfaces for it.

„The interfaces that you configure for state synchronization should not be part of a VLAN or have more than one IP address assigned to them.

„Enable antispoofing on all the interfaces in the cluster, including those used for firewall synchronization and cluster synchronization.

„Set the options the 3rd Party Configuration tab as follows:

„Set the Availability Mode of the gateway cluster object to Load Sharing. Do not set it to High Availability.

„In the pull-down menu, select Nokia IP Clustering.

„Check all the available check boxes.

„Enable automatic proxy ARP on the NAT Global Properties tab.

„In the NAT tab for the gateway object, select Hide behind IP address and enter the external cluster IP address in the address field. Do not select Hide behind Gateway because this can cause packets to use the “real” IP address of the interface, not the virtual cluster IP address.

„Add the cluster IP addresses in the Topology tab of the Gateway Cluster Properties dialog box).

„You can configure firewall synchronization to occur on either of the cluster protocol networks, a production network (not recommended), or a dedicated network (avoid using a production network for firewall synchronization). If you use a cluster protocol network for firewall synchronization, Nokia recommends that you use the secondary cluster protocol network for this purpose.

Note

The firewall synchronization network should have bandwidth of 100 mbps or greater.

„Connection synchronization is CPU intensive, and Nokia recommends that you carefully choose which traffic should have its connections synchronized. For example, you might choose to not synchronize HTTP traffic.

„If a cluster can no longer synchronize new connections because it has reached its limit, it can fail. If you see a large number of firewall synchronization error messages (indicating that the cluster has reached the limit of connections it can synchronize), you can configure VPN-1 to drop connections that exceed the limit by entering the following commands at the console:

fw ctl set int fw_sync_block_new_conns 0 fw ctl set int fw_sync_ack_seq_gap 128

Entering these commands configures the cluster to give preference to maintaining the synchronization state of the existing connections over establishing new connections.

„If you use sequence validation in NGX, you should be aware that in the event of a cluster failover, sequence validation is disabled for connections that are transferred to another cluster member. Sequence validation is enabled for connections that are created after the failover.