Tag Archives: fortigate transparent mode active passive cluster

Transparent mode active-passive cluster packet flow

Transparent mode active-passive cluster packet flow

This section describes how packets are processed and how failover occurs in an active-passive HA cluster running in Transparent mode. The cluster is installed on an internal network in front of a mail server and the client connects to the mail server through the Transparent mode cluster.

In an active-passive cluster operating in Transparent mode, two MAC addresses are involved in the communication between a client and a server when the primary unit processes a connection:

  • Client MAC address (MAC_Client)
  • Server MAC address (MAC_Server)

The HA virtual MAC addresses are not directly involved in communication between the client and the server. The client computer sends packets to the mail server and the mail server sends responses. In both cases the packets are intercepted and processed by the cluster.

The cluster’s presence on the network is transparent to the client and server computers. The primary unit sends gratuitous ARP packets to Switch 1 that associate all MAC addresses on the network segment connected to the cluster external interface with the HA virtual MAC address. The primary unit also sends gratuitous ARP packets to Switch 2 that associate all MAC addresses on the network segment connected to the cluster internal interface with the HA virtual MAC address. In both cases, this results in the switches sending packets to the primary unit interfaces.

 

Transparent mode active-passive packet flow

 

Packet flow from client to mail server

1. The client computer requests a connection from 10.11.101.10 to 110.11.101.200.

2. The client computer issues an ARP request to 10.11.101.200.

3. The primary unit forwards the ARP request to the mail server.

4. The mail server responds with its MAC address (MAC_Server) which corresponds to its IP address of 10.11.101.200. The primary unit returns the ARP response to the client computer.

5. The client’s request packet reaches the primary unit internal interface.

 

  IP address MAC address
Source 10.11.101.10 MAC_Client
Destination 10.11.101.200 MAC_Server

 

6. The primary unit processes the packet.

7. The primary unit forwards the packet from its external interface to the mail server.

 

  IP address MAC address
Source 10.11.101.10 MAC_Client
Destination 10.11.101.200 MAC_Server

 

8. The primary unit continues to process packets in this way unless a failover occurs.

 

Packet flow from mail server to client

1. To respond to the client computer, the mail server issues an ARP request to 10.11.101.10.

2. The primary unit forwards the ARP request to the client computer.

3. The client computer responds with its MAC address (MAC_Client) which corresponds to its IP address of 10.11.101.10. The primary unit returns the ARP response to the mail server.

4. The mail server’s response packet reaches the primary unit external interface.

 

  IP address MAC address
Source 10.11.101.200 MAC_Server
Destination 10.11.101.10 MAC_Client

 

5. The primary unit processes the packet.

6. The primary unit forwards the packet from its internal interface to the client.

 

  IP address MAC address
Source 10.11.101.200 MAC_Server
Destination 10.11.101.10 MAC_Client

 

7. The primary unit continues to process packets in this way unless a failover occurs.

 

When a failover occurs

The following steps are followed after a device or link failure of the primary unit causes a failover.

1. If the primary unit fails, the subordinate unit negotiates to become the primary unit.

2. The new primary unit changes the MAC addresses of all of its interfaces to the HA virtual MAC address.

3. The new primary units sends gratuitous ARP packets to switch 1 to associate its MAC address with the MAC addresses on the network segment connected to the external interface.

4. The new primary units sends gratuitous ARP packets to switch 2 to associate its MAC address with the MAC addresses on the network segment connected to the internal interface.

5. Traffic sent to the cluster is now received and processed by the new primary unit.

If there were more than two cluster units in the original cluster, these remaining units would become subordinate units.