Established UDP connections fail after routing failover

Applicable products

SNS appliances

Description

In a configuration using a failover router object as default route or in a PBR rule, UDP connections state remains in the connection table after an effective failover. As a result, UDP flows still uses the previous connection parameters, including NAT, and the connection fails.

To make an efficient failover, it is necessary to flush these UDP connections at failover action thanks to an sfctl command.

The most common case concerns SIP connections. However, it is not necessary to apply the following solution to ephemeral connections, as DNS flows.

Solution

This workaround has been tested on SNS version 4.3 and 4.8.

There are different solutions depending on how the router object is used.

When used in Default gateway, the active gateway is directly added in the routing system table, this is not handled by ASQ and there is no special tag attached to the connection.
When used in PBR rule, the routing is handled by ASQ, gateway is identified by a "router id" and the connection holds this information.

Router object is used in Default gateway without loadbalacing :

Thesfctl command must be added in the following file : /Firewall/ConfigFiles/route-script.

echo "sfctl -F state -H proto=udp" >> /usr/Firewall/ConfigFiles/route-script

In this case, the router object only contains one main and secondary gateway.
You MUST select "none" in the loadbalancing option.

Router object is used in Policy Based Routing rule or Default gateway with loadbalancing :

The following commands will :

Edit the file /usr/Firewall/ConfigFiles/routing to flush connection in OnUp and OnDown event
then refresh routerd :

setconf /usr/Firewall/ConfigFiles/routing Router OnUp "sfctl -F state -H rtstate=down &"
setconf /usr/Firewall/ConfigFiles/routing Router OnDown "sfctl -F state -H rtstate=down &"
enrouterd