Evaluation of TCP State Replication Methods for High-Availability Firewall Clusters

To provide the reliable connectivity between two endpoints over the Internet, a firewall cluster for stateful high availability removes the single-point failure by replicating and maintaining TCP connection states to a backup firewall node, at the expense of the costs of network and system resources. In this paper, through trace-based simulations on a prototype implementation, the authors evaluate the overheads of different state replication methods with a tunable time-triggering parameter. Their evaluation results show that the overheads of precise replication are very high, especially for short flows.