High Availability Issues; High Availability Configuration - D-Link NetDefend DFL-210 User Manual

11.3. High Availability Issues

11.3. High Availability Issues
Even though a high availability cluster will behave like a single firewall in most respects, there are
some things which should be kept in mind when managing and configuring it.

11.3.1. High Availability Configuration

When configuring High Availability clusters, there are a number of things to keep in mind in order
to avoid pitfalls.
Changing the cluster ID
By changing the cluster ID, you actually doing two things:
• Changing the hardware address of the shared IPs. This will cause problems for all units attached
to the local LAN, as they will keep the old hardware address in their ARP caches until it times
out. Such units will have to have their ARP caches flushed.
• You will also break the connection between the firewalls in the cluster for as long as they are us-
ing different configurations. This will cause both firewalls to go active at the same time.
In short, changing the cluster ID unnecessarily is not a good idea.
After the configuration has been uploaded to both firewalls, the ARP caches of vital units will have
to be flushed in order to restore communication.
Never use the unique IPs for live traffic
The unique IP addresses of the firewalls cannot safely be used for anything but managing the fire-
walls.
Using them for anything else such as for source IPs in dynamically NATed connections or publish-
ing services on them, will inevitably cause problems, as unique IPs will disappear when the firewall
it belongs to does.
233
Chapter 11. High Availability