Verifying high availability failover
For each site you add, it is important to ensure that the High Availability (HA) failover capability is provisioned and configured correctly such that failover happens successfully when required.
At provisioning time, you should work with Forcepoint to verify that HA failover works successfully for each site. This involves the following checks and steps:
- Make sure that both primary and secondary tunnels are created and shows a status of UP on the page in Forcepoint ONE SSE.
- For GRE tunnel, the status of UP merely indicates that the tunnel has been successfully configured on the Forcepoint ONE SSE and does not signify (unlike IPsec) that the edge device (Firewall or router) has been configured correctly. This is due to the stateless nature of GRE and the fact that no negotiation take place with this tunnel type.
- A successful test execution for HA failover across both tunnel types would involve:
- Bring down the primary tunnel or virtual datacenter and ensure that failover to the secondary tunnel completes successfully such that traffic flows through the secondary tunnel.
- Bring back the primary tunnel and ensure that fail back occurs so that traffic should flow back through the primary tunnel.
The primary reasons for HA failover not operational are:
- No secondary tunnel exists.
- GRE tunnel - A tunnel exists and status is UP. However, the edge device may not be successfully configured to switchover and you have no visibility on this due to the
stateless nature of GRE.Note: Make sure that you configure tunnel failover on edge device for GRE failover to work correctly. Refer to Configurations on Juniper SRX to know in detail.