HP-UX IPFilter Version 15.01 Administrator's Guide
NOTE: The previous sections are examples and meant to serve as guidelines. You might need
to modify them to work with your network configuration and the applications you use. Specific
applications used within the Serviceguard cluster might require additional ports to be opened.
DCA Remote Failover
Normally, IPFilter keep state rules are configured with the flags S parameter. This parameter
instructs IPFilter to create a TCP state entry only when a SYN packet is parsed.
To enable transparent failover between IPFilter DCA nodes, do not use flags S with keep
limit rules. If incoming TCP/IP traffic is switched from the active to the standby node, DCA
can rebuild the previous IPFilter state table and IPFilter DCA limit tables from the data stream.
Without flags S in the keep limit rule, IPFilter creates a new state entry from any TCP/IP
packet, not just a SYN packet. A limit table entry is created. Any new connections that exceed
the connection limit are rejected.
After the state table entry is created for a particular IP address source/destination and TCP port
source/destination 4-tuple, further packets of this connection are processed in the state table
entry. These packets are not processed by the rules’ table.
For example, when Serviceguard detects that the primary IPFilter DCA gateway has failed, the
IP addresses of the primary systems are switched to the standby DCA system. The standby
system contains the same set of configured rules as the primary system. Therefore, the standby
system can completely rebuild the TCP state tables and limit entries that were previously on the
primary system.
If a client has active connection to an IPFilter system and is attempting to make new connections
when Serviceguard fails over, the new connections replace the existing connections in the limit
table entry for the client only if the established connections are not generating traffic.
Using HP-UX IPFilter with Serviceguard 119