Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Show Page Sections

Connection Synchronization

Connection synchronization overview

Connection synchronization is a feature that is used by the system to support high availability between two instances of vRouter running VRRP.

To support high availability, the firewall states must be synchronized between the master and backup routers. The connection synchronization feature is used by the system to perform this synchronization. When a backup router with VRRP becomes the master router, this feature initializes the firewall states in the new master.

Note: State synchronization for NAT and ALG is not supported.

Connection synchronization helps keep existing stateful connections going through the master and backup routers alive even after failover.

Note: When you configure connection synchronization on a vRouter, the maximum number of session entries that you can configure by using the system session table-size command is 200000 when the system memory is 4G, or 100000 entries when the system memory is 2G.
Note: Connection synchronization works only for active-passive configurations.

Configuring connection synchronization

This example shows how to configure connection synchronization between two vRouters that are configured by enabling the firewall and VRRP. The R1 vRouter is configured as the VRRP master router and the R2 vRouter is configured as the VRRP backup router.

When you complete the example, the interfaces are configured as shown in the following figure.

Figure 1. Configuring connection synchronization

To configure the connection synchronization, you must configure the failover mechanism, interface, and remote peer for each router.

Perform the following steps on the R1 vRouter.

Table 1. Configuring connection synchronization on the R1 vRouter
Step Command
Assign an IP address directly to the dp0p192p1 untagged Ethernet interface.
vyatta@R1# set interfaces dataplane dp0p192p1 address 192.168.1.10/24
vyatta@R1# set interfaces dataplane dp0p192p1 description Uplink
Assign an IP address directly to the dp0p224p1 untagged Ethernet interface.
vyatta@R1# set interfaces dataplane dp0p224p1 address 135.182.170.2/24
vyatta@R1# set interfaces dataplane dp0p224p1 description Downlink
Configure the firewall for the dp0p224p1 interface.
vyatta@R1# set interfaces dataplane dp0p224p1 firewall in Inbound
vyatta@R1# set interfaces dataplane dp0p224p1 firewall outbound
Configure the firewall for the dp0p192p1 interface.
vyatta@R1# set interfaces dataplane dp0p192p1 firewall in DNS-HTTP
Configure VRRP for the dp0p224p1 interface.
vyatta@R1# set interfaces dataplane dp0p224p1 vrrp vrrp-group 99 priority 150
vyatta@R1# set interfaces dataplane dp0p224p1 vrrp vrrp-group 99 rfc-compatibility
vyatta@R1# set interfaces dataplane dp0p224p1 vrrp vrrp-group 99 sync-group Inside
vyatta@R1# set interfaces dataplane dp0p224p1 vrrp vrrp-group 99 virtual-address 135.182.170.30
vyatta@R1# set interfaces dataplane dp0p224p1 vrrp vrrp-group 99 notify bgp
Assign an IP address to the dp0p256p1 interface.
vyatta@R1# set interfaces dataplane dp0p256p1 address 1.1.1.1/24 
vyatta@R1# set interfaces dataplane dp0p256p1 description CONNSYNC
Configure the firewall.
vyatta@R1#  set security firewall name inbound rule 10 action accept
vyatta@R1# set security firewall name inbound rule 10 log
vyatta@R1# set security firewall name inbound rule 10 protocol tcp
vyatta@R1# set security firewall name inbound rule 10 state enable
vyatta@R1# set security firewall name DNS-HTTP rule 10 action accept
vyatta@R1# set security firewall name DNS-HTTP rule 10 log
vyatta@R1# set security firewall name DNS-HTTP rule 10 protocol udp
vyatta@R1# set security firewall name DNS-HTTP rule 10 state enable
vyatta@R1# set security firewall session-log tcp established
vyatta@R1# set security firewall session-log tcp fin-sent
vyatta@R1# set security firewall session-log udp closed
vyatta@R1# set security firewall session-log udp established
vyatta@R1# set security firewall session-log udp new
vyatta@R1# set security firewall session-log udp timeout
vyatta@R1# set security firewall session-log tcp fin-wait
Configure the connection synchronization failover.
vyatta@R1# set service connsync failover-mechanism vrrp sync-group Inside
vyatta@R1# set service connsync interface dp0p256p1
Configure an IP address for the R2 vRouter as the remote peer.
vyatta@R1# set service connsync remote-peer 1.1.1.2
Configure SSH.
vyatta@R1# set service ssh
Verify the connection synchronization configuration.
vyatta@R1:~$ show service
 service {
        connsync {
                failover-mechanism {
                        vrrp {
                                sync-group Inside
                        }
                }
                interface dp0p256p1
                remote-peer 1.1.1.2
        }       0
Verify the configured interfaces.
vyatta@R1:~$ show interfaces
 interfaces {
        dataplane dp0p160p1 {
                address 10.18.191.11/24
        }
        dataplane dp0p192p1 {
                address 192.168.1.10/24
                description UPlink
                firewall {
                        in DNS-HTTP
                }
        }
        dataplane dp0p224p1 {
                address 135.182.170.2/24
                description Downlink

                firewall {
                        in Inbound
                        out Outbound
                }
                vrrp {
                        vrrp-group 99 {
                                notify {
                                        bgp
                                }
                                priority 150
                                rfc-compatibility
                                sync-group Inside
                                virtual-address 135.182.170.30
                        }
                }
        }
        dataplane dp0p256p1 {
                address 1.1.1.1/30
                description CONNSYNC
        }
        loopback lo {
                address 7.7.7.1/32
        }
 }
Verify entries in the session table.
vyatta@R1:~$ run show session-table
TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
                 FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
                 TW - TIME WAIT, CL - CLOSE, LI - LISTEN
CONN ID Source                Destination    Protocol    TIMEOUT Intf   Parent
3121279 135.182.170.204:1052  155.1.34.13:53 udp [17] new  18   dp0p192p1  0
3121307 135.182.170.218:1066  155.1.34.13:53 udp [17] new  18   dp0p192p1  0
3121433 135.182.170.206:1129  155.1.34.13:53 udp [17] new  22   dp0p192p1  0
3121438 135.182.170.134:1132  155.1.34.13:53 udp [17] new  22   dp0p192p1  0
3121447 135.182.170.213:1136  155.1.34.13:53 udp [17] new  22   dp0p192p1  0
3121509 135.182.170.244:1167  155.1.34.13:53 udp [17] new  22   dp0p192p1  0
3121539 135.182.170.184:1182  155.1.34.13:53 udp [17] new  22   dp0p192p1  0
3121544 135.182.170.112:1185  155.1.34.13:53 udp [17] new  22   dp0p192p1  0
3121565 135.182.170.197:1195  155.1.34.13:53 udp [17] new  22   dp0p192p1  0
Verify entries in the internal cache table.
vyatta@R1:~$ run show connsync internal-cache
Number of entries: 16385
Source                         Destination                   Protocol
135.182.170.130:8886           155.1.34.62:53                 udp [17]
135.182.170.142:10198          155.1.34.50:53                 udp [17]
135.182.170.109:23089          155.1.34.85:53                 udp [17]
135.182.170.179:30361          155.1.34.75:53                 udp [17]
135.182.170.225:23826          155.1.34.16:53                 udp [17]
135.182.170.177:12593          155.1.34.95:53                 udp [17]
135.182.170.143:24313          155.1.34.93:53                 udp [17]
135.182.170.180:36112          155.1.34.110:53                udp [17]
135.182.170.171:26976          155.1.34.79:53                 udp [17]
Verify connection synchronization statistics.
vyatta@R1:~$ run show connsync statistics
local:
msg: tx/rx 1/3997592 tx_err/rx_err 0/0 tx_end/rx_end 1/2
cache: size/max: 81401/1048576       insert: 1618119 update: 2172451
       delete: 33786 expirted: 1124967 evicted: 0
       err: update/delete/stale 0/0/0
remote:
msg: tx/rx 1/7075953 tx_err/rx_err 0/0 tx_end/rx_end 1/0
cache: size/max: 0/1048576       insert: 3059007 update: 3718759
       delete: 99227 expirted: 2977595 evicted: 0
       err: update/delete/stale 0/0/0

Perform the following steps on the R2 vRouter.

Table 2. Configuring connection synchronization on the R2 vRouter
Step Command
Assign an IP address directly to the dp0p192p1 untagged Ethernet interface.
vyatta@R2#  set interfaces dataplane dp0p192p1 address 192.168.1.11/24
vyatta@R2# set interfaces dataplane dp0p192p1 description Uplink
Assign an IP address directly to the dp0p224p1 untagged Ethernet interface.
vyatta@R2# set interfaces dataplane dp0p224p1 address 135.182.170.2/24
vyatta@R2# set interfaces dataplane dp0p224p1 description Downlink
Configure the firewall for the dp0p224p1 interface.
vyatta@R2# set interfaces dataplane dp0p224p1 firewall in Inbound
vyatta@R2# set interfaces dataplane dp0p224p1 firewall out Outbound
Configure the firewall for the dp0p192p1 interface.
vyatta@R2# set interfaces dataplane dp0p192p1 firewall in DNS-HTTP
Configure VRRP for the dp0p224p1 interface.
vyatta@R2# set interfaces dataplane dp0p224p1 vrrp vrrp-group 99 priority 150
vyatta@R2# set interfaces dataplane dp0p224p1 vrrp vrrp-group 99 rfc-compatibility
vyatta@R2# set interfaces dataplane dp0p224p1 vrrp vrrp-group 99 sync-group Inside
vyatta@R2# set interfaces dataplane dp0p224p1 vrrp vrrp-group 99 virtual-address 135.182.170.30
vyatta@R2# set interfaces dataplane dp0p224p1 vrrp vrrp-group 99 notify bgp
Assign an IP address to the dp0p256p1 interface.
vyatta@R2# set interfaces dataplane dp0p256p1 address 1.1.1.1/24 
vyatta@R2# set interfaces dataplane dp0p256p1 description CONNSYNC
Configure the firewall.
vyatta@R2#  set security firewall name inbound rule 10 action accept
vyatta@R2# set security firewall name inbound rule 10 log
vyatta@R2# set security firewall name inbound rule 10 protocol tcp
vyatta@R2# set security firewall name inbound rule 10 state enable
vyatta@R2# set security firewall name DNS-HTTP rule 10 action accept
vyatta@R2# set security firewall name DNS-HTTP rule 10 log
vyatta@R2# set security firewall name DNS-HTTP rule 10 protocol udp
vyatta@R2# set security firewall name DNS-HTTP rule 10 state enable
vyatta@R2# set security firewall session-log tcp established
vyatta@R2# set security firewall session-log tcp fin-sent
vyatta@R2# set security firewall session-log udp closed
vyatta@R2# set security firewall session-log udp established
vyatta@R2# set security firewall session-log udp new
vyatta@R2# set security firewall session-log udp timeout
vyatta@R2# set security firewall session-log tcp fin-wait
Configure the connection synchronization failover.
vyatta@R2# set service connsync failover-mechanism vrrp sync-group Inside
vyatta@R2# set service connsync interface dp0p256p1
Configure an IP address for the R2 vRouter as the remote peer.
vyatta@R2# set service connsync remote-peer 1.1.1.1
Configure SSH.
vyatta@R2# set service ssh