Connection mirroring feature enables the Avi Load Balancer to maintain or synchronize TCP/ UDP connections and flow table information across all Service Engines in a high availability deployment. By default, when a failover event occurs, all the existing connections are closed by the earlier primary node, and the new primary node or the leader SE after the failover has to establish new connections to the client, and to the back-end servers.
When the connection mirroring feature is enabled, the new primary node has information of all the existing established connections. The SE, which becomes the leader after a failover event, continues to serve the existing connections without any disruption in the services. This feature provides seamless high availability failover.
The Avi Load Balancer supports connection mirroring only for the TCP profile type, TCP Fast Path. The TCP Fast Path profile does not proxy TCP connections. It directly connects clients to the destination server and translates the client’s destination virtual service address with the chosen destination server’s IP address.
Client IP persistence is not supported with this feature.
For more information on the supported TCP/UDP profiles on Avi Load Balancer, see TCP-UDP Profile.
Use Case
By default, in case of a scale-out event in an active/ active HA deployment or in a legacy HA failover, all the active connections does not get transferred to the new primary node. This causes disruption in the application for users as the new leader or the new primary node establishes new TCP connections with the client, and the back-end server.
This feature minimizes service disruption to mission-critical applications when the back-end servers are hosting numerous connections for multiple users.
Deployment Modes
The following deployment mode is supported for connection mirroring on Avi Load Balancer.
Legacy active/ standby HA mode deployed with the default gateway and the Preserve Client IP feature. When the Preserve Client IP feature is enabled, TCP connections on the server-side is between the client IP address and the back-end server IP address. Connection mirroring is possible in this deployment mode as the TCP connections are independent of the SE’s interface IP address even though the connections terminate on either of the SEs.
Legacy active/ standby HA mode with SNAT IP enabled on the back-end server.
When SNAT IP is enabled, the TCP connections on the server-side is between the SNAT IP address and the back-end server IP address. Connection mirroring is possible in this deployment mode as the TCP connections are independent of the SE’s interface IP address even though the connections terminate on either of the SEs.
The following deployment modes are not supported for this feature:
Standard Legacy active/ standby mode with interface IP address. In this mode, server-side TCP connection is established between the primary node SE’S interface IP and the server IP. When the primary node fails, the peer SE has to establish new TCP connection as the new primary node has different interface IP.
Elastic HA with active/ active mode or N+M mode.
Active/ active mode with source NAT IP address enabled for the virtual service.
In this mode, TCP connections are not synchronized as the server-side TCP connections are established between the individual SE’s SNAT IP address and the back-end server IP address.
Connection mirroring is not supported for the TCP profile type set to TCP Proxy mode. Enabling TCP Proxy causes the Avi Load Balancer to terminate an inbound connection from a client. Any application data from the client that is destined for a server is forwarded to that server over a new TCP connection.
In the TCP Proxy mode, all the connections are terminated at the SE, so synchronization of connections to the peer SEs is extremely complex and prone to errors.
Enabling Connection Mirroring through CLI
The connection mirroring feature is enabled by setting the value for the connection_mirror flag to true
in the System-TCP-Fast-Path profile using the CLI. By default, the value for the connection_mirror flag is set to False
in the TCP Fast Path profile as shown below in the output of the show networkprofile System-TCP-Fast-Path command.
[admin-10.1.1.1]: > show networkprofile System-TCP-Fast-Path +---------------------------+------------------------------------------------------+ | Field | Value | +---------------------------+------------------------------------------------------+ | uuid | networkprofile-8fb03f55-5b46-41be-9b89-0f125c9662fb | | name | System-TCP-Fast-Path | | profile | | | type | PROTOCOL_TYPE_TCP_FAST_PATH | | tcp_fast_path_profile | | | session_idle_timeout | 300 sec | | enable_syn_protection | False | | connection_mirror | False | | tenant_ref | admin | +---------------------------+------------------------------------------------------+
To enable the feature, enable the connection_mirror flag in the tcp_fast_path_profile using the networkprofile command.
Login to the Avi Load Balancer CLI and run the following commands:
[admin:10.1.1.1]: > configure networkprofile System-TCP-Fast-Path Updating an existing object. Currently, the object is: +---------------------------+-----------------------------------------------------+ | Field | Value | +---------------------------+-----------------------------------------------------+ | uuid | networkprofile-2c4f833d-5f2f-49f8-a9fe-e1aac04a0bf4 | | name | System-TCP-Fast-Path | | profile | | | type | PROTOCOL_TYPE_TCP_FAST_PATH | | tcp_fast_path_profile | | | session_idle_timeout | 300 sec | | enable_syn_protection | False | | connection_mirror | False | | tenant_ref | admin | +---------------------------+-----------------------------------------------------+ [admin:10.1.1.1]: networkprofile> connection_mirror <CR> connection_mirror the object description Help string not found for argument name The name of the network profile. tenant_ref Help string not found for argument [admin:10.1.1.1]: networkprofile> connection_mirror Overwriting the previously entered value for connection_mirror [admin:10.1.1.1]: networkprofile> save +---------------------------+-----------------------------------------------------+ | Field | Value | +---------------------------+-----------------------------------------------------+ | uuid | networkprofile-2c4f833d-5f2f-49f8-a9fe-e1aac04a0bf4 | | name | System-TCP-Fast-Path | | profile | | | type | PROTOCOL_TYPE_TCP_FAST_PATH | | tcp_fast_path_profile | | | session_idle_timeout | 300 sec | | enable_syn_protection | False | | connection_mirror | True | | tenant_ref | admin | +---------------------------+-----------------------------------------------------+
You can verify if connection mirroring is working, using the following command which indicates that connections are mirrored across to the standby Service Engine:
[admin:10-140-4-46]: > show virtualservice vs_conn_mirror tcpstat |grep mir | mirror_conn_list_on_active | 49999 | | mirrored_connections_on_standby | 49999 |
For more information on Layer 4 connection mirroring, see: