Requirement:When branch office controllers are deployed, it is very important to have seamless communication with the Master controller hence we prefer to maintain multiple uplink. there should be a mechanism to track and switch over the uplink. Health check monitoring is required to track the health of the primary uplink, so that it can switch to the standby link incase of primary link failure.
Solution:HCM (Health Check Manager) will monitor the reachability to master controller from multiple WAN uplinks of your branch office controller.
HCM ensures seamless connectivity to HQ by sending periodic ping probes on each WAN uplink.
Prior to AOS 6.4.3, we used to monitor the physical link status of the uplink, but in case of an issue in the ISP network or Internet, this will never impact the physical link status. we can handle this situation by HCM (Similar to interface tracking in VRRP).
Configuration:How to configure ( Configuring Branch Config Group) :
Step 1 : Creating “Branch Config Group” : Configuration > Branch > Smart Config
Step 2 : Select New under “Branch Config Group List”
Step 3 : Enter the name, Controller Model number (Only 70XX supported) and select Ip address assignment mode
Enabling HCM (Health Check Monitoring ) for the Branch Config Group:
Step 1 : Select WAN tab
Step 2 : Under “WAN health Check “ select “Health Check “ yes
Step 3 : Select Probe mode as “Ping”
Step 4 : Enter the Probe Interval (Default is 10 sec )
Step 5 : Enter number of packets per probe (Default is 5)
Step 6 : Enter the value for probe retries ( Default is 5 )
Configuring Wired Uplinks :
Step 1 : Select “Networking “ tab
Step 2 : Under “Uplink VLANs “ Enter VLAN id , Priority , Operstate and IP Address assignment mode
Note 1 : Operstate should be UP for all the VLANs you want to assign to UP links.
Note 2 : VLAN 4094 is the default VLAN hence you cannot delete.
VerificationHow HCM will work:
- Uplink manager scans for available uplink interfaces and informs HCM
- HCM sends continuous ping probes to master controller over each uplink and publishes result to uplink manager and FPAPPS
- In the event of a failure update from HCM on primary uplink , uplink manager will select next high priority healthy uplink as active uplink and informs IKE
- IKE will re-establish new IPSec tunnel over new active uplink vlan and tear down old tunnel
- FPAPPS will delete previous default route and add new one pointing to default gateway address of new active uplink
- Same mechanism followed incase primary uplink recovers
As per the above configuration, when there a failure on your primary uplink. HCM will send 5 ICMP requests, every 10 seconds, and repeat it for 5 times. If no ICMP replies are received in this interval then the primary uplink will be declared a failure.
How to verify HCM :
Here in this setup, there are two uplink VLANs, 150 and 4094 are provisioned with priority 250 and 200 respectively. as the priority of VLAN 150 is more hence that uplink active and other is standby.
Verifying HCM configuration and status :
So, let’s say there’s a failure on your primary uplink VLAN150. HCM will send 5 ICMP requests, every 10 seconds, and repeat it for 5 times. If no ICMP replies are received in this interval then the primary uplink will be declared a failure and standby link will be active as shown in the snapshot.
Here when uplink VLAN 150 is down then immediately standby uplink VLAN 4094 is Active.
