9Chapter157High AvailabilityOverviewHA clustersThe SEG High Availability (HA) feature provides hardware redundancy for SEG installations.HA works by adding a backup slave security gateway to an existing master security gateway.The master and slave are connected together and make up a logical HA cluster. One of theunits in a cluster will be active while the other unit is inactive and on standby. The master andslave are also referred to as cluster nodes or cluster peers.Initially, the cluster slave will be inactive and will only monitor the activity of the master. If theslave detects that the master has a malfunction, an HA failover takes place and the slavebecomes active, assuming processing responsibility for all traffic.If the master later becomes operative again, the slave will continue to be active but themaster will now monitor the slave with a failover only taking place if the slave malfunctions.This is sometimes known as an active‐passive implementation.Master and active unitsWhen reading this section on HA, it should be kept in mind that the master unit in a cluster isnot always the same as the active unit in a cluster.The active unit is the security gateway that is actually processing all traffic at a given point intime. This could be the slave if a failover has occurred.Interconnection of cluster peersIn a cluster, the master and slave must be directly connected to each other by one or moresynchronization connections that are known as the sync interfaces. One or more of theinterfaces on the master and the slave can be dedicated for this purpose and are directlyconnected together using a crossover cable. Although this connection could be made via aswitch, it is not recommended.The primary purpose of a sync interface is to carry state synchronization traffic between thecluster peers. Sync interfaces must not be used for normal traffic.Special Ethernet frames, known as heartbeats, are continually sent by the SEG between thepeers in the cluster across the sync interfaces and any other interfaces marked as critical.These frames allow the health of both units to be monitored. Heartbeats are sent in bothdirections so that the passive unit knows about the health of the active unit and the activeunit knows about the health of the passive.