Jump to content


Photo

HA how it works


Best Answer Barry van Hattum, 02 February 2016 - 08:20 AM

No it does not. There can be no Active/Passive. A cluster is always Active/Active. Both units are handling traffic all the time.

 

This is what I found in the help section on the appliance.

---------------

After the Barracuda Spam Firewall has joined the cluster, in the Clustered Systems section of the page, use the Mode drop-down to designate its mode:

  • Active (recommended) - An active system filters traffic and shares data with the rest of the systems in the cluster.
  • Standby - A standby system filters traffic but does not share data with the other systems.

---------------

 

This means that both units will handle traffic all the time and the only difference is that a member that is "standby" does not share info with the other member(s). However it still does handle traffic. Both units are "active" by default.

 

Regards,

Barry

Go to the full post


This topic has been archived. This means that you cannot reply to this topic.
7 replies to this topic

#1 Maciej

Maciej
  • Members
  • 4 posts

Posted 02 February 2016 - 04:27 AM

Hi,

 

Recently, i bought a second 400 Spam firewall unit to my network. I want to cluster them into active/passie mode. Both units will be placed behind corporate firewall.

And here is the first question, how does it works?

 

In case of barracuda1 fails, barracuda2 will take an active role, but what happen with its ip address? Is it remain unchanged? So, if yes, how to setup corporate firewall ( nat with rule allow traffic to the two units?)

 

Regards

Maciej



#2 Barry van Hattum

Barry van Hattum
  • Members
  • 22 posts

Posted 02 February 2016 - 04:44 AM

Hi Maceij,

 

The units cannot be active passive. They are active/active. If you cluster them, the second unit copies the config from the first unit. Load balancing can be done through load balancers or through DNS. If you create a DNS record that points to the external ip-adresses of the Barracuda's, the sending mailserver will choose one of the two based on the priority in the DNS record. If the priority is the same for both units, the email will be load balanced across both the devices. If one unit fails, it can obviously no longer be reached and al email will be send to the remaining device.

 

Hope this helps.



#3 Maciej

Maciej
  • Members
  • 4 posts

Posted 02 February 2016 - 07:20 AM

Thanks for fast reply.

The problem is, i don't have a loadbalancer. So i think the only way is to set MX records in DNS to point this two barracuda systems.

 

Do you think i can stay with default setting in DNS (point only for public IP) and direct traffic on my corporate firewall to those two units (one public IP hide two barracuda units)?

 

But going back for a moment to HA mode. So what for is the option passive (HA section?)

 

Regards

Maciej



#4 Barry van Hattum

Barry van Hattum
  • Members
  • 22 posts

Posted 02 February 2016 - 07:45 AM

Hi,

 

Where do you see "Passive". When i go to "Advanced" -> "Clustering", under the section "clustered systems" I see the devices in the cluster. They are either "active" or "standby". Active obviously means actively responding to traffic, and "standby" means it is not responding to traffic.

 

If you want to distribute traffic over two appliances you need some form of load balancing. This does not have to be a load balancer appliance, but can also be done through DNS. If you direct all traffic to your public IP-address on the firewall, then your firewall needs to make the decision to direct the email to one of the two units. Usually firewalls do not have this capability.

 

Your best option is the assign two private IP-adresses to the Spam Firewalls. One for each unit. Then you NAT these addresses to public IP-adresses on the firewall. Then you create/adjust your DNS records to point to the two public IP-adresses. That way all sending emailservers look for the DNS record, see two IP-adresses and choose one of them. They send an email to that IP-adress, the firewall receives it and sends it to the corresponding Barracuda Spam Firewall.

 

This is the way we normally install Barracuda Spam Firewall clusters.

 

Hope this helps.

 

Barry



#5 Maciej

Maciej
  • Members
  • 4 posts

Posted 02 February 2016 - 08:00 AM

Ok, there has been misunderstanding (for me passive=standby :) )

 

So now let's assume that HA is working in active/standby mode. When active unit fails, and the second unit tako over the active role, what happen with the ip? Does the ip from old active unit goes to the new active unit (old standby)?

 

R.

Maciej



#6 Barry van Hattum

Barry van Hattum
  • Members
  • 22 posts

Posted 02 February 2016 - 08:20 AM   Best Answer

No it does not. There can be no Active/Passive. A cluster is always Active/Active. Both units are handling traffic all the time.

 

This is what I found in the help section on the appliance.

---------------

After the Barracuda Spam Firewall has joined the cluster, in the Clustered Systems section of the page, use the Mode drop-down to designate its mode:

  • Active (recommended) - An active system filters traffic and shares data with the rest of the systems in the cluster.
  • Standby - A standby system filters traffic but does not share data with the other systems.

---------------

 

This means that both units will handle traffic all the time and the only difference is that a member that is "standby" does not share info with the other member(s). However it still does handle traffic. Both units are "active" by default.

 

Regards,

Barry



#7 Maciej

Maciej
  • Members
  • 4 posts

Posted 02 February 2016 - 08:24 AM

Ok, now it's all clear.

Thanks for help.

 

R.

Maciej



#8 Mikel

Mikel
  • Members
  • 7 posts

Posted 06 January 2020 - 05:30 AM

Hi bros, i just wonder what will happen in a special case:
Assuming that i have 2 Barracuda that are clustered with each other (ESG-1 and ESG-2)
Let's assume that an email is being processed by ESG-1, for example AntiVirus, Spam Score rating ....
So what will happen if during this process, the ESG-1 is down? Does Barracuda ESG Clustering has feature that support to transfer the ongoing session to another cluster member and continue to process the email (Something like Microsoft Exchange Shadow Redundancy Feature)?
Or the Client has to re-send a message ?

 

Note that we only care about the ongoing email at the time of ESG-1 down, after that moment, it's sure that all the upcoming email message will be directed to the ESG-2 (using Load Balancer or DNS MX Records)
Many thanks for your help.  :)