Must I Set a Physical IP Address for the Uplink or Downlink Interface After I Set the Virtual IP Address of the VRRP Group on the Interface

Yes. You must set a physical IP address for the interface before you set the virtual IP address of the VRRP group on the interface. The physical IP address and the virtual address of the IPv4 VRRP group can reside on the same network segment or different network segments. But the physical IP address and the virtual address of the IPv6 VRRP group must reside on the same network segment.

Why Does the Active Firewall Require a Longer Preemption Delay Than That on the Standby Firewall

Preemption starts after the original active firewall recovers. If the preemption delay of the active firewall is too shorter than that of the standby firewall, the active firewall may switch status before the session entries on the standby firewall are completely synchronized to the active firewall. Therefore, the active firewall requires a longer preemption delay.

Which Commands Related to Interfaces Can Be Backed Up and Which Cannot

The following commands related to the interfaces can be backed up:

• Command that creates subinterfaces
• Command that creates logical interfaces such as Eth-Trunk interfaces
• Command that adds an interface to an Eth-Trunk
• Command that adds an interface to a security zone

The following commands related to interfaces cannot be backed up:

• Command that sets an IP address for an interface
• Command that configures VRRP on an interface
• Command that applies an IPSec policy to an interface
• Command that shuts down an interface

Why Cannot I Run Commands on the Standby Firewall

After two firewalls are set up in active/standby mode, the commands that can be automatically backed up cannot be manually configured on the standby firewall.

The configuration commands on the active firewall can be automatically synchronized to the standby firewall.

To manually configure these commands on the standby firewall, you need to disable automatic backup (undo hrp auto-sync config) and allow the configuration modification on the standby firewall (hrp standby config enable).

Does a Long Preemption Delay on the Active Firewall Affect the Failure Response Speed

No. If the active firewall fails, services are immediately switched to the standby firewall. After the original active firewall recovers, it must wait for the preemption delay before preempting. During the delay, the standby firewall is working. Therefore, the long preemption delay of the active firewall does not affect the failure response speed.

Why Does Not the Original Active Firewall Preempt After Recovery

Possible causes are as follows:

• The preemption function is disabled.
• The preemption conditions are not met. The original active firewall does not immediately preempt after recovery. Instead, it waits for a delay before the preemption. The preemption delay is set to avoid unstable active/standby switchovers.

What Are the Differences Between Automatic Session Backup and Quick Session Backup? Why Is Quick Session Backup Required in Case of Inconsistent Forward and Reverse Paths

The differences between quick session backup and automatic session backup are as follows:

• In quick session backup, sessions are synchronized to the standby firewall immediately after being set up. In automatic session backup, only sessions that require backup and are detected by the session aging thread are synchronized to the standby firewall.
• The quick session backup function can back up half-open TCP sessions and UDP sessions with only one packet.

If the forward and reverse paths are different, enable quick session backup to ensure that the sessions on the two firewalls are the same.

Must the Heartbeat Interfaces Be Directly Connected

Direct connection between the heartbeat interfaces is recommended. If the heartbeat interfaces of the firewalls are not directly connected and heartbeat packets are dropped, the HRP status of the two firewalls may be abnormal.

How Does the Adjustment to the HRP Heartbeat Packet Sending Interval Affect the Networking

HRP heartbeat packets are used to detect the connection status of the active and standby firewalls. If the standby firewall does not receive any heartbeat packet from the peer within five consecutive sending intervals, the standby firewall considers that the peer fails and switches to the active state. Therefore, a short HRP heartbeat packet sending interval speeds up failure response of the firewalls.

However, a too short interval may cause unstable hot standby status. When the firewall CPU is overloaded, the task of sending heartbeat packets cannot be scheduled, resulting in a false switchover. Therefore, the default value, 1 second, is recommended.

What Should I Pay Attention to When Configuring IPSec VPN in Hot Standby Networking

• The service interfaces (including VLANIF interfaces) connecting the firewall to upstream and downstream devices must work at Layer 3.
• Before configuring IPSec VPN, you must establish the hot standby status. The IPSec policy configured on the active firewall will be automatically synchronized to the standby one. On the standby firewall, you only need to apply the synchronized IPSec policy to the outgoing interface.
• If the firewall serves as the initiator of the IPSec tunnel, you must run the tunnel local ip-address command to specify the virtual IP address of the VRRP group as the IP address for IPSec negotiation.
• Configure DPD to delete the tunnel that has been established on the original active firewall after an active/standby switchover to prevent packet loss.

Is Security Policy Required to Permit Packets Between the Local Zone and the Zone Where the Heartbeat Interface Resides

Not required.

Can Configuration Changes Made on the Standby Device That Takes Over Services After the Active Device Is Faulty Be Automatically Synchronized to the Active Device

• If only the interface or link of the active device is faulty, the integrated device is not restarted or powered off, and the heartbeat interface is normal, configuration changes on the standby device that can be backed up are synchronized to the active device in real time.
• If the active device is restarted or powered off, configurations are automatically synchronized from the standby device after the active device recovers from the fault and is restarted. That is, in this scenario, configuration changes on the standby device can also be synchronized to the active device.

  The configuration can be automatically synchronized after restart only after you run the hrp base config enable command to enable the corresponding function. If the function is disabled, the configuration is not automatically synchronized from the standby device after the active device is restarted.

On a Hot Standby Network, What Do Designated Active Device and Designated Standby Device Stand For

On load balancing networks, both firewalls are active. Therefore, if both firewalls synchronize commands to each other, command overwrite or conflict problems may occur. To centrally manage the configurations of the two firewalls, you need to configure the designated active and standby devices.

On load balancing networks, the sender of the configuration backup command is the designated active device (identified by HRP_M), and the receiver is the designated standby device (identified by HRP_S).

On load balancing networks, configuration commands can be backed up only from the designated active device to the designated standby device, but not the other way around. Status information, however, can be mutually backed up.

On load balancing networks, the firewall whose name (sysname) has a smaller ASCII character is the designated active device. For example, when FW_A and FW_B share load, FW_A is the designated active device. If the device names (sysname) are the same, the firewall with a smaller clock is the designated active device and the firewall with a larger clock is the designated standby device when the hrp enable command is executed.

Can Firewalls Running Different V5 Versions Implement Hot Standby

During the upgrade, sessions need to be re-created. Therefore, services may be temporarily affected during the upgrade of early versions.

From V500R001C30SPC300, the software versions of the active and standby firewalls can be inconsistent during the upgrade or rollback. For example, if the software version of a firewall is upgraded from V500R001C30SPC300 to V500R001C50, the two firewalls can still run normally. However, configurations cannot be backed up between the active and standby firewalls. Therefore, do not deliver upgrade/rollback-irrelevant configurations to the firewalls during the upgrade/rollback. For the stable operation of both firewalls in the long run, you are advised to upgrade or roll back the firewalls to the same version. For details, see the upgrade guide.

Before the upgrade or rollback, run the undo hrp base config enable command on the active and standby firewalls to disable the function of synchronizing configurations from the peer after restart. If this function is enabled and the firewalls restart after the upgrade or rollback, they will synchronize configurations from the peer. However, configuration commands of different versions may vary. If the configurations synchronized from the peer conflict with the local software version, the configurations cannot be restored.

What Are Sessions Related to Firewall Hot Standby

• Sessions related to the HRP status

  If multiple heartbeat interfaces are configured, each heartbeat interface has the following sessions. That is, each heartbeat interface generates two status sessions.

  • Session from the peer heartbeat interface IP address and source port 49152 to the local heartbeat interface IP address and destination port 18514

     udp  VPN: public --> public  ID: a58f392656b8850f765b09791e                    
     Zone: trust --> local  TTL: 00:02:00  Left: 00:01:59                           
     Recv Interface: GigabitEthernet1/0/0                                           
     Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 0000-0000-0000                
     <--packets: 0 bytes: 0 --> packets: 2023 bytes: 347,848                        
     1.1.1.1:49152 --> 1.1.1.2:18514 PolicyName: --- 

  • Session from the local heartbeat interface IP address and source port 49152 to the peer heartbeat interface IP address and destination port 18514

     udp  VPN: public --> public  ID: a58f392656ab07590c5b09791e                    
     Zone: local --> trust  TTL: 00:02:00  Left: 00:02:00                           
     Recv Interface: InLoopBack0                                                    
     Interface: GigabitEthernet1/0/0  NextHop: 1.1.1.1  MAC: 04fe-8df4-18f9         
     <--packets: 0 bytes: 0 --> packets: 2026 bytes: 348,731                        
     1.1.1.2:49152 --> 1.1.1.1:18514 PolicyName: ---

• Sessions related to backup between the two firewalls

  Session from the peer heartbeat interface IP address and source port 16384 to the local heartbeat interface IP address and destination port 18514

   udp  VPN: public --> public  ID: a58f3a6babb902d7615b097950
   Zone: trust --> local  TTL: 00:02:00  Left: 00:01:59                 
   Recv Interface: GigabitEthernet1/0/0 
   Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 0000-0000-0000 
   <--packets: 0 bytes: 0 --> packets: 844 bytes: 83,358 
   1.1.1.2:16384 --> 1.1.1.1:18514 PolicyName: ---

In the Hot Standby Networking, How to Select the Running Heartbeat Interface If Multiple Heartbeat Interfaces Are Configured

Select the heartbeat interface in running state according to the following rules:

1. Configuration sequence: The first configured heartbeat interface is always selected for negotiation.

   If the configuration sequences of the heartbeat interfaces on the two firewalls are different, the running heartbeat interfaces on the active and standby firewalls may be different. Therefore, the heartbeat interfaces on the active and standby firewalls must be configured in the same sequence.

2. If the first heartbeat interface fails to be negotiated, the next heartbeat interface is selected according to the configuration sequence.
3. If the previous heartbeat interface recovers, it preempts to be the running interface.

Why Is the Firewall Still Active After the hrp standby-device Command Is Configured

If the hrp standby-device command and VRRP group are both configured on a firewall, the status of the firewall is determined by the configuration of the VRRP group. The configuration of the hrp standby-device command is invalid. Therefore, if a VRRP group is configured, you are not advised to run the hrp standby-device command on the firewall.

On a Hot Standby Network, Which Packets Are Used by Upstream and Downstream Layer 3 Devices to Learn the MAC Address of a Virtual IP Address

To forward packets, upstream and downstream Layer 3 devices look up the routing table for the next hop, that is, the virtual IP address of the VRRP group. Then the devices look up the ARP table for the MAC address of the virtual IP address. If no match is found, the devices broadcast an ARP request. Only the active firewall responds to ARP requests.

In the ARP reply, the source MAC address in the Ethernet header is the MAC address of the interface that sends the reply, and the sender Ethernet address in the reply payload is the virtual MAC address of the VRRP group. Upstream and downstream Layer 3 devices learn the virtual MAC address mapped to the virtual IP address through the ARP reply.

Upstream and downstream devices pad the destination MAC address field of the Ethernet header with the virtual MAC address and send the packets to the firewall.

On a Hot Standby Network, Which Packets Are Used by Upstream and Downstream Layer 2 Devices to Learn the Outgoing Interface for the Virtual MAC Address

Only the active firewall periodically sends VRRP advertisement packets. The source MAC address of these packets is the virtual MAC address of the VRRP group. Upstream and downstream Layer 2 devices learn the outgoing interface mapped to the virtual MAC address through the VRRP advertisement packets.

What Are Differences Between hrp auto-sync and hrp sync

hrp auto-sync indicates automatic backup, which is enabled by default. In automatic backup, subsequent configuration and status entries are backed up to the standby firewall, and status entries newly created on the standby firewall are backed up to the active firewall. hrp auto-sync is enabled by default. The command does not affect existing configurations and status entries.

hrp sync immediately backs up the existing configurations and status entries from the active firewall to the standby firewall. The command takes effect immediately and does not affect subsequent configurations and status table entries.

Does hrp track interface Monitor the Physical or Protocol Status of an Interface

hrp track interface monitors only the physical status of an interface. If the physical state of the interface is Up but no IP address is configured, the protocol state is Down. In this case, the hrp track interface configuration on the interface does not decrease the priority of the VGMP group by 2.

How Is the VGMP Group Priority Calculated in Case of an Interface Fault

In normal cases, the priorities of the VGMP groups on the active and standby firewalls are the same.

The impact of the interface fault on the VGMP group priority is related to the configuration. The details are as follows:

• If a VRRP group is configured on an interface and the interface is faulty, the priority of the VGMP group decreases by 2 x number of VRRP groups on the interface.
• If you have run the hrp track interface command to configure a VGMP group to monitor the physical interface status, the priority of the VGMP group decreases by 2 for each faulty physical interface.
• If you have run the hrp track interface command to configure a VGMP group to monitor the status of an Eth-Trunk or IP-Trunk interface and some member interfaces of the trunk interface are faulty, the priority of the VGMP group decreases by 2 x number of faulty member interfaces by default. If all member interfaces of a trunk interface are faulty, the priority of the VGMP group decreases by 2 x (1 + number of member interfaces).
• If a VRRP group is configured on an interface and the hrp track interface command has been run to configure a VGMP group to monitor the interface status and the interface is faulty, the reduction of the priority of the VGMP group is accumulative. For example, two VRRP groups are configured on GigabitEthernet1/0/1, and the hrp track interface GigabitEthernet 1/0/1 command has been configured on the interface. If the interface is faulty, the priority of the VGMP group decreases by 6.
• If the hrp track vlan command has been used to monitor the VLAN status and an interface added to the VLAN is faulty, the priority of the VGMP group decreases by 2 for each faulty interface.

Why Cannot Easy IP Be Deployed with Hot Standby

You cannot specify the VRID in Easy IP configuration. In normal cases, the active firewall uses the IP address of its outgoing interface as the public address to set up sessions. After active/standby switchover, the standby firewall also uses the IP address of its outgoing interface as the public address. In this case, the sessions synchronized from the active firewall do not match the IP address of the outgoing interface on the standby firewall. As a result, services are interrupted.

In Hot Standby Deployment, Does the Firewall Immediately Take Over the Active Role After Its Restart and Before Its Successful Negotiation with the Peer About the Active/Standby Relationship

Before device software version upgrade in hot standby deployment, the service and heartbeat interfaces of the active or standby firewall are disabled. In addition, the active firewall is isolated from the standby firewall for separate upgrade. In this scenario, the heartbeat interface is still disabled. As a result, the firewall cannot negotiate with the peer about the active/standby relationship after its restart.

The firewall will not immediately take over the active role. If so, the service may be interrupted after the switchover in that the MPU and LPU of the firewall have not completely restored.

After the firewall starts and before it successfully negotiates with the peer, it immediately takes overs the active role if the following conditions are met:

• The MPU configuration is restored.
• At least one CPU is operating.
• The configuration of at least one LPU on which the heartbeat interface resides is restored.

If the preceding conditions are met, the firewall waits for 30 seconds and takes over the active role. If any of the conditions is not met, the firewall does not preempt as the active firewall. For example, if the firewall uses an Eth-Trunk interface as a heartbeat interface and an LPU is faulty, the firewall restarts and cannot detect the Eth-Trunk member interface. Consequently, the firewall remains standby.

How Is the Active/Standby Status When the Heartbeat Interface Is Abnormal in a Hot Standby Scenario

In a hot standby scenario, if the heartbeat interface on the active firewall is abnormal (for example, the heartbeat link is abnormal, or the LPU where the heartbeat interface resides is faulty), the firewall cannot properly receive or send heartbeat packets, and the active/standby status cannot be negotiated. If the standby firewall does not receive heartbeat packets from the active firewall in five consecutive packet sending intervals, the standby firewall considers the peer faulty and switches to be active. As a result, both firewalls are active.

In Hot Standby Networking, Can the Commands That Are Allowed to Be Configured on the Standby Firewall Be Synchronized to the Active Firewall

After you run the hrp standby config enable command to enable the function of configuring commands on the standby firewall, the commands configured on the standby firewall are synchronized to the active firewall in real time.

Will the Session Entries on the Standby Firewall Be Synchronized to the Active Firewall

If traffic passes through the standby firewall, the new sessions on the standby firewall are synchronized to the active firewall in real time.

How Long Does an Active/Standby Switchover Take

The duration of an active/standby switchover depends on triggering conditions:

• If the active/standby switchover is caused by an interface or link fault, the switchover completes within milliseconds.
• If the active/standby switchover is caused by a device failure, the switchover completes within five heartbeat packet sending intervals.

Can the Virtual IP Address of a VRRP Group Be Added to the NAT Address Pool

Yes. If the virtual IP address of the VRRP group is the only public IP address for the intranet, you can add the virtual IP address to the NAT address pool.

Which Types of Interfaces Can Function as Service Interfaces or Heartbeat Interfaces

Table 13-11 shows whether a type of interface can function as the service interface or heartbeat interface.

Subinterfaces and VLANIF interfaces share one physical interface with other subinterfaces or VLANIF interfaces. If traffic on other subinterfaces or VLANIF interfaces is heavy, heartbeat packets are lost. Therefore, subinterfaces or VLANIF interfaces are not recommended as heartbeat interfaces.

Can the Virtual MAC Address Be Used as the Source MAC Address of Packets

Yes. By default, a firewall uses the physical MAC address to encapsulate Layer 3 service packets. To use the virtual MAC address, run the vrrp virtual-mac enable command in the interface view.

What Are Differences Between FW Hot Standby and Router Dual-link Backup

Their packet forwarding mechanisms are different.

• For a router, service packets are forwarded packet by packet. The router looks up the routing table and interface-based ACL. Packets are forwarded only if a corresponding match is found. After a link switchover, subsequent packets are continuously forwarded. Each packet is independently processed.
• As a stateful firewall, the FW checks only first packets. If the first packet of a flow is permitted, the FW creates a quintuple session connection accordingly. Then subsequent packets (including return packets) matching this session entry are permitted. If a link switchover occurs, subsequent packets cannot find matching session entries, resulting in service interruption. When NAT is configured for a router, similar problems may occur because an entry is created after NAT.

On a Hot Standby Network, Can Upstream and Downstream Devices Be Layer 4 Switches

Yes. In this networking, the firewall must use the virtual MAC address to encapsulate service packets. Otherwise, services are interrupted after an active/standby switchover.

By default, the firewall uses the physical MAC address to encapsulate service packets. On this network, Layer 4 switches establish a connection status table to record the source MAC address (MAC address of the service interface on the active firewall) in the packets forwarded by the firewall. Layer 4 switches forward packets based on the connection status table. Therefore, packets are sent to the original active firewall if the physical MAC address is used. As a result, services are interrupted.

If the virtual MAC address is used, the connection status tables on Layer 4 switches record the virtual MAC address. After an active/standby switchover, Layer 4 switches can forward service packets to the new active firewall.

Corresponding to the virtual IP address, the virtual MAC address is automatically generated based on the VRID in either of the following formats:

• IPv4: 00-00-5E-00-01-{VRID}
• IPv6: 00-00-5E-00-02-{VRID}

On a service interface of the firewall, you can run the following commands to use the virtual MAC address to encapsulate service packets:

<sysname> system-view
[sysname] interface GigabitEthernet 1/0/1
[sysname-GigabitEthernet1/0/1] vrrp virtual-mac enable

Why Are the Sessions of the Current Active Firewall Marked with remote After an Active/Standby Switchover

In hot standby scenarios, remote indicates that the session is generated on the active firewall and then backed up to the standby firewall. Sessions with the remote tag are not deleted until they are aged out. After an active/standby switchover, the session entries backed up from the original active firewall still carry the remote tag until they are aged out.

Does a Long Preemption Delay for the Active Device Affect the Failure Response Speed

No. If the FW fails, the active/standby switchover is performed immediately. Preemption starts only after fault recovery. During fault recovery, the other FW works properly. Therefore, services are not affected.

What Is the Impact on the Networking When the hrp timer hello Value Is Adjusted

The hrp timer hello command is used to set an interval at which the firewall sends VGMP packets, HRP heartbeat packets, and HRP link detection packets. The impact of this command on hot standby is as follows:

• The two firewalls send VGMP packets to each other to learn the peer status and VGMP group priority. When the priority of the local VGMP group changes, the local firewall compares its VGMP group priority with that of the peer to determine whether to trigger an active/standby switchover. Therefore, a smaller interval allows the firewall to promptly learn the peer status.
• HRP heartbeat packets are used to detect whether the peer is working. If a firewall does not receive heartbeat packets from the peer within five heartbeat packet sending intervals, it considers the peer faulty and switches to the active role. Therefore, a smaller interval can speed up the active/standby switchover if the active firewall is faulty.
• HRP link detection packets are used to check whether the heartbeat interface of the peer is normal. Therefore, a smaller interval allows the firewall to quickly detect the status of the peer heartbeat interface. If the heartbeat interface is faulty, the firewall can quickly switch to the standby heartbeat interface to send packets.

However, the interval cannot be set too small, especially when the CPU usage of the firewall management plane is high. If the CPU usage on the management plane is high and the interval is set to a very small value, the task for sending HRP heartbeat packets may not be scheduled within five heartbeat packet sending intervals. As a result, the active/standby switchover is performed unexpectedly. Generally, the default value 1000 ms is recommended.

Can I Adjust the Cost Value of the Link Where the Standby Device Is Located in Load Balancing Networking

No.