Let’s start by defining session persistency in the context of load balancing firewalls. Session persistency is the ability of the broadband bonding load balancer to keep the on going session alive even during WAN network problems. Normally, persistent sessions need to be kept on the same WAN link to work properly. With load balancers, normally this is not possible if the WAN link carrying the session disconnects. However, modern load balancers have a different approach to keep the on-going sessions alive.
The WAN network problems can be anything from spike in packet loss rates to full-disconnects. In essence a load balancing firewall has the ability to steer packets around network problems and simultaneous keep the flow state so that the application is shielded from the network problems. For example if we assume a dual WAN load balancing firewall with broadband bonding capabilities, then an on going VPN session between the branch office and the head office will only experience reduced throughput in case of one of the two WAN links fully disconnects; as opposed to completely loosing the VPN session. The latter is the only outcome short of broadband bonding. In most VPN setups, if the load balancing firewall is not equipped to handle broadband bonding, then the WAN problems of a single WAN link will bring down the sessions that are on it. In our specific VPN example that may translate into longer periods of VPN outages as a disconnected VPN may take time to reconnect automatically – a common pain point that broadband bonding routers address directly.
In case the load balancing firewall lacks broadband bonding, then the session persistency will be limited to forcing certain group of session onto specific WAN links. As an example, if you have a set of sessions that are used for accessing your banking site, these session have to be kept on the same IP address (which naturally happens with Broadband Bonding) and therefore a load balancing algorithm that cannot detect session persistency requirements will fail the application by randomly spreading the sessions related to the banking site to various ISP links and therefore looking as if the user is accessing the site via more than one IP address and therefore will cause the application, i.e. the banking website, to fail automatically. There are really two type of solutions to this problem, the preferred method is the one we described earlier, whereby you still present 1 IP address to the banking server, by utilizing Broadband Bonding. However if you have to stick with load-balancing without broadband bonding, then at least your load balancing firewall should be able to handle session persistency, whereby managing the session to keep the related ones on the same ISP and therefore on the same IP address.
Cahit Akin, CEO, Mushroom Networks, Inc.
Mushroom Networks is the provider of SD-WAN (Software Defined WAN) and NFV solutions capable of Broadband Bonding that enables self-healing WAN networks that route around network problems such as latency, jitter and packet loss.
© 2004 – 2018 Mushroom Networks Inc. All rights reserved.
Let's get started. Please call us at +1 (858) 452-1031, or fill the form: