Fortinet white logo
Fortinet white logo

Handbook

6.0.0

NAT mode A-P packet flow

NAT mode A-P packet flow

This section describes how packets are processed and how failover occurs in an active-passive HA cluster running in NAT mode. In the example, the NAT mode cluster acts as the internet firewall for a client computer’s internal network. The client computer’s default route points at the IP address of the cluster internal interface. The client connects to a web server on the internet. internet routing routes packets from the cluster external interface to the web server, and from the web server to the cluster external interface.

In an active-passive cluster operating in NAT mode, four MAC addresses are involved in communication between the client and the web server when the primary unit processes the connection:

  • Internal virtual MAC address (MAC_V_int) assigned to the primary unit internal interface,
  • External virtual MAC address (MAC_V_ext) assigned to the primary unit external interface,
  • Client MAC address (MAC_Client),
  • Server MAC address (MAC_Server),

In NAT mode, the HA cluster works as a gateway when it responds to ARP requests. Therefore, the client and server only know the gateway MAC addresses. The client only knows the cluster internal virtual MAC address (MAC_V_int) and the server only know the cluster external virtual MAC address (MAC_V_ext).

NAT mode active-passive packet flow

Packet flow from client to web server

  1. The client computer requests a connection from 10.11.101.10 to 172.20.120.130.
  2. The default route on the client computer recognizes 10.11.101.100 (the cluster IP address) as the gateway to the external network where the web server is located.
  3. The client computer issues an ARP request to 10.11.101.100.
  4. The primary unit intercepts the ARP request, and responds with the internal virtual MAC address (MAC_V_int) which corresponds to its IP address of 10.11.101.100.
  5. The client’s request packet reaches the primary unit internal interface.

    IP address MAC address
    Source 10.11.101.10 MAC_Client
    Destination 172.20.120.130 MAC_V_int
  6. The primary unit processes the packet.
  7. The primary unit forwards the packet from its external interface to the web server.

    IP address MAC address
    Source 172.20.120.141 MAC_V_ext
    Destination 172.20.120.130 MAC_Server
  8. The primary unit continues to process packets in this way unless a failover occurs.

Packet flow from web server to client

  1. When the web server responds to the client’s packet, the cluster external interface IP address (172.20.120.141) is recognized as the gateway to the internal network.
  2. The web server issues an ARP request to 172.20.120.141.
  3. The primary unit intercepts the ARP request, and responds with the external virtual MAC address (MAC_V_ext) which corresponds its IP address of 172.20.120.141.
  4. The web server then sends response packets to the primary unit external interface.

    IP address MAC address
    Source 172.20.120.130 MAC_Server
    Destination 172.20.120.141 MAC_V_ext
  5. The primary unit processes the packet.
  6. The primary unit forwards the packet from its internal interface to the client.

    IP address MAC address
    Source 172.20.120.130 MAC_V_int
    Destination 10.11.101.10 MAC_Client
  7. The primary unit continues to process packets in this way unless a failover occurs.

When a failover occurs

The following steps are followed after a device or link failure of the primary unit causes a failover.

  1. If the primary unit fails the subordinate unit becomes the primary unit.
  2. The new primary unit changes the MAC addresses of all of its interfaces to the HA virtual MAC addresses.

    The new primary unit has the same IP addresses and MAC addresses as the failed primary unit.

  3. The new primary units sends gratuitous ARP packets from the internal interface to the 10.11.101.0 network to associate its internal IP address with the internal virtual MAC address.
  4. The new primary units sends gratuitous ARP packets to the 172.20.120.0 to associate its external IP address with the external virtual MAC address.
  5. Traffic sent to the cluster is now received and processed by the new primary unit.

    If there were more than two cluster units in the original cluster, these remaining units would become subordinate units.

NAT mode A-P packet flow

NAT mode A-P packet flow

This section describes how packets are processed and how failover occurs in an active-passive HA cluster running in NAT mode. In the example, the NAT mode cluster acts as the internet firewall for a client computer’s internal network. The client computer’s default route points at the IP address of the cluster internal interface. The client connects to a web server on the internet. internet routing routes packets from the cluster external interface to the web server, and from the web server to the cluster external interface.

In an active-passive cluster operating in NAT mode, four MAC addresses are involved in communication between the client and the web server when the primary unit processes the connection:

  • Internal virtual MAC address (MAC_V_int) assigned to the primary unit internal interface,
  • External virtual MAC address (MAC_V_ext) assigned to the primary unit external interface,
  • Client MAC address (MAC_Client),
  • Server MAC address (MAC_Server),

In NAT mode, the HA cluster works as a gateway when it responds to ARP requests. Therefore, the client and server only know the gateway MAC addresses. The client only knows the cluster internal virtual MAC address (MAC_V_int) and the server only know the cluster external virtual MAC address (MAC_V_ext).

NAT mode active-passive packet flow

Packet flow from client to web server

  1. The client computer requests a connection from 10.11.101.10 to 172.20.120.130.
  2. The default route on the client computer recognizes 10.11.101.100 (the cluster IP address) as the gateway to the external network where the web server is located.
  3. The client computer issues an ARP request to 10.11.101.100.
  4. The primary unit intercepts the ARP request, and responds with the internal virtual MAC address (MAC_V_int) which corresponds to its IP address of 10.11.101.100.
  5. The client’s request packet reaches the primary unit internal interface.

    IP address MAC address
    Source 10.11.101.10 MAC_Client
    Destination 172.20.120.130 MAC_V_int
  6. The primary unit processes the packet.
  7. The primary unit forwards the packet from its external interface to the web server.

    IP address MAC address
    Source 172.20.120.141 MAC_V_ext
    Destination 172.20.120.130 MAC_Server
  8. The primary unit continues to process packets in this way unless a failover occurs.

Packet flow from web server to client

  1. When the web server responds to the client’s packet, the cluster external interface IP address (172.20.120.141) is recognized as the gateway to the internal network.
  2. The web server issues an ARP request to 172.20.120.141.
  3. The primary unit intercepts the ARP request, and responds with the external virtual MAC address (MAC_V_ext) which corresponds its IP address of 172.20.120.141.
  4. The web server then sends response packets to the primary unit external interface.

    IP address MAC address
    Source 172.20.120.130 MAC_Server
    Destination 172.20.120.141 MAC_V_ext
  5. The primary unit processes the packet.
  6. The primary unit forwards the packet from its internal interface to the client.

    IP address MAC address
    Source 172.20.120.130 MAC_V_int
    Destination 10.11.101.10 MAC_Client
  7. The primary unit continues to process packets in this way unless a failover occurs.

When a failover occurs

The following steps are followed after a device or link failure of the primary unit causes a failover.

  1. If the primary unit fails the subordinate unit becomes the primary unit.
  2. The new primary unit changes the MAC addresses of all of its interfaces to the HA virtual MAC addresses.

    The new primary unit has the same IP addresses and MAC addresses as the failed primary unit.

  3. The new primary units sends gratuitous ARP packets from the internal interface to the 10.11.101.0 network to associate its internal IP address with the internal virtual MAC address.
  4. The new primary units sends gratuitous ARP packets to the 172.20.120.0 to associate its external IP address with the external virtual MAC address.
  5. Traffic sent to the cluster is now received and processed by the new primary unit.

    If there were more than two cluster units in the original cluster, these remaining units would become subordinate units.