Cluster Heartbeats - D-Link DFL-1600 User Manual

29.2. How Rapid Failover is Accomplished
When a firewall discovers that its peer is no longer operational, it will
broadcast a number of ARP queries for itself, using the shared hardware
address as sender address, on all interfaces. This causes switches and
bridges to re-learn where to send packets destined for the shared hardware
address in a matter of milliseconds.
Hence, the only real delay in the failover mechanism is detecting that a
firewall is no longer operational.
The activation messages (ARP queries) described above are also broadcast
periodically to ensure that switches won't forget where to send packets
destined for the shared hardware address.
29.2.2

Cluster heartbeats

A firewall detects that its peer is no longer operational when it can no
longer hear "cluster heartbeats" from its peer.
Currently, a firewall will send five cluster heartbeats per second.
When a firewall has "missed" three heartbeats, i.e. after 0.6 seconds, it will
be declared inoperative.
So, why not make it even faster? Maybe send a hundred heartbeats per
second and declare a firewall inoperative after missing only two of them?
This would after all result in a 0.02-second failover time.
The problem with detection times less than a tenth of a second is that such
delays may occur during normal operation. Just opening a file, on either
firewall, could result in delays long enough to cause the inactive firewall to
go active, even though the other firewall is still active; a clearly undesirable
situation.
Cluster heartbeats have the following characteristics:
The source IP is the interface address of the sending firewall
The destination IP is the shared IP address
The IP TTL is always 255. If a firewall receives a cluster heartbeat
with any other TTL, it is assumed that the packet has traversed a
router, and hence cannot be trusted at all.
D-Link Firewalls User's Guide
305