Nokia IPSO 4.0 Cell Phone User Manual


 
5
242 Nokia Network Voyager for IPSO 4.0 Reference Guide
Configure state synchronization:
Enable state synchronization and configure interfaces for it.
The interfaces that you configure for state synchronization should not be part of a VLAN
or have more than one IP address assigned to them.
Enable antispoofing on all the interfaces in the cluster, including those used for firewall
synchronization and cluster synchronization.
Set the options the 3rd Party Configuration tab as follows:
Set the Availability Mode of the gateway cluster object to Load Sharing. Do not set it to
High Availability.
In the pull-down menu, select Nokia IP Clustering.
Check all the available check boxes.
Enable automatic proxy ARP on the NAT Global Properties tab.
In the NAT tab for the gateway object, select Hide behind IP address and enter the external
cluster IP address in the address field. Do not select Hide behind Gateway because this can
cause packets to use the “real” IP address of the interface, not the virtual cluster IP address.
Add the cluster IP addresses in the Topology tab of the Gateway Cluster Properties dialog
box).
You can configure firewall synchronization to occur on either of the cluster protocol
networks, a production network (not recommended), or a dedicated network (avoid using a
production network for firewall synchronization). If you use a cluster protocol network for
firewall synchronization, Nokia recommends that you use the secondary cluster protocol
network for this purpose.
Note
The firewall synchronization network should have bandwidth of 100 mbps or greater.
Connection synchronization is CPU intensive, and Nokia recommends that you carefully
choose which traffic should have its connections synchronized. For example, you might
choose to not synchronize HTTP traffic.
If a cluster can no longer synchronize new connections because it has reached its limit, it can
fail. If you see a large number of firewall synchronization error messages (indicating that the
cluster has reached the limit of connections it can synchronize), you can configure VPN-1 to
drop connections that exceed the limit by entering the following commands at the console:
fw ctl set int fw_sync_block_new_conns 0
fw ctl set int fw_sync_ack_seq_gap 128
Entering these commands configures the cluster to give preference to maintaining the
synchronization state of the existing connections over establishing new connections.
If you use sequence validation in NGX, you should be aware that in the event of a cluster
failover, sequence validation is disabled for connections that are transferred to another
cluster member. Sequence validation is enabled for connections that are created after the
failover.