Technical data
ServerIron FWLB Overview
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 3 - 5
The pings are required because a ServerIron can use link-state information to detect when the local link (a link
directly attached to a ServerIron port) in a path goes down, but cannot detect when the remote link in the path
goes down. If the other ServerIron fails to respond to a ping on a specific port, the ServerIron that sent the ping
tries two more times, then determines that the remote link in the path must be down.
NOTE: The health checking mechanism requires that the firewalls be configured to allow ICMP traffic between
the two ServerIrons. If the firewalls block the ICMP traffic between ServerIrons, the health check will not work and
as a result your IronClad configuration will not function properly.
ServerIrons in an IronClad FWLB configuration also exchange health information. In this case, the ServerIrons
exchange packets at Layer 2 and other information related to the link states of the ports that connect the
ServerIrons.
In addition to the health checks described above, each ServerIron, whether active or in standby mode, sends IP
pings through every path to the other ServerIrons to check the health of the paths. For information about path
health checks, see the following section.
Path Health Checks
One of the required FWLB parameters is a separate path from the ServerIron through each firewall to each of the
ServerIrons on the other side of the firewall. A path to the ServerIron’s gateway router also is required.
By default, the ServerIron performs a Layer 3 health check of each firewall and router path by sending an ICMP
ping packet on each path.
• If the ServerIron receives a reply within the allowed amount of time, the ServerIron concludes that the path is
good.
• If the ServerIron does not receive a reply within the allowed amount of time, the ServerIron concludes that the
path is down.
By default, the ServerIron waits 400 milliseconds for a reply to an ICMP health check packet. If the reply does not
arrive, the ServerIron makes two more attempts by default. Therefore, the total amount of time the ServerIron
waits for a response is 1.2 seconds by default.
You can increase the total amount of time the ServerIron will wait for a response by increasing the number of
attempts. The default maximum number of health check attempts is 3. The valid number of attempts is a value
from 3 – 31 on ServerIron Chassis devices or 3 – 31 on other ServerIron models.
Optionally, you can configure the ServerIrons in an FWLB configuration to use Layer 4 TCP or UDP health checks
instead of Layer 3 health checks for firewall paths. When you configure a Layer 4 health check, the Layer 3 (ICMP)
health check, which is used by default, is disabled. The Layer 4 health check applies only to firewall paths. The
ServerIron always uses a Layer 3 (ICMP) health check to test the path to the router.
NOTE: You must configure the same path health check parameters on all the ServerIrons in the FWLB
configuration. Otherwise, the paths will not pass the health checks.
Application Health Checks
When you add firewall configuration information to the ServerIron, you also can add information for individual
application ports. Adding the application information is optional.
You can specify the following:
• The application’s protocol (TCP or UDP) and port number
• The Layer 4 health check state (enabled or disabled) for the application
Adding an application port provides the following benefits:
• The ServerIron includes the source and destination port numbers for the application when it creates session
entry. Thus, adding the application port provides more granular load balancing.
• The ServerIron checks the health of the TCP or UDP service used by the application, by sending a Layer 4