CSE Client - How Does It Handle an HA-Failover?

MNuser

If I have an HA firewall pair. How well does the CSE Client handle the failover? What experience would the site-to-site VPN Users notice? How long of a delay before reconnecting?

I can't seem to find this documented anywhere, please send a link if it is documented but I'm not seeing it.

Thanks in advance!

dboros

I'm more familiar with the CSE side of things so I'll provide my 2c on how CSE works; what I can say is the CSE client itself doesn't really have any knowledge of the firewall state here. It just routes packets according to whatever routing and policy is present on the CSE side.

The CSE client connects to an access tier which is either deployed in the global edge (managed by SW) or private edge. After that is where the HA firewall pair would integrate into the CSE data plane in the form of the firewall connector. So traffic would continue to flow inbound because the access tier remains up.

I'll take a stab at this from a theoretical perspective on where the failover should occur although I'd be interested in knowing whether anyone has set this up. I've personally tested active-passive failovers using Linux and Window connector so as long as the standby starts and the active stops its connector cleanly, it should work. :-)

Basically, if the primary and standby are both configured with the firewall connector, I would assume that the swapping out of the two connectors in the data plane would be fairly seamless… the swap would occur as soon as the WireGuard handshake / persistent keepalive takeover happens from the standby's firewall connector, switching out the route from the primary to the standby connector. You may get some retransmissions and timeouts during the delay between the active-passive takeover; however, there's nothing that would cause the CSE client to disconnect. It would continue to chug along since the access tier in the middle never went down.