Because the Eudemon is a stateful firewall, a session entry will be created on the Eudemon for each dynamically generated session in the security zone. Only the subsequent packets and return packets that match with the session entry can pass through the Eudemon. Therefore, the inbound path and the outbound path of the same session must be consistent. Otherwise, follow-up packets cannot match the session entries of the firewall, causing drop of packets.

Data path in master/backup mode on the Eudemon as shown in Figure 1.

Figure 1:  Data path in master/backup mode

In Figure 1, suppose the VRRP status of Eudemon A and Eudemon B are the same, that is, all the interfaces of Eudemon A are in active state, and all the interfaces of Eudemon B are in standby state.

In the case that a host in the trust zone accesses a PC in the untrust zone, a packet is sent from the trust zone to the untrust zone along the path (1)-(2)-(3)-(4). When the packet passes Eudemon A, a dynamic session entry is generated. When the packet returned by PC2 reaches Eudemon A along the path (5)-(6), it can match the session entries, and therefore, it can reach PC1 along the path (7)-(8).

Suppose the VRRP status of Eudemon A and Eudemon B are not the same; for example: on Eudemon B, the interface connected with the trust zone is in standby state, while the interface connected with the untrust zone is in active state. After the packets from the PCs of the trust zone pass Eudemon A and reach the PCs in the untrust zone, a session entry is dynamically generated on Eudemon A. The return packets are sent along the path (5)-(9). At this time, no session entry related to the date flow is available on Eudemon B. If no other packet-filtering rules are available to permit the packet to pass,Eudemon B drops the packet. In this case, the session is interrupted.

In a word, if the VRRP state is consistent, the state of interfaces connected with each zone on the same firewall is identical, that is, all keep in master state or in backup state at the same time.

The Eudemon connects with many security zones and composes a backup group with other interfaces connected with each zone. Based on the traditional VRRP mechanism, VRRP in each backup group works in an independent state. Therefore, the state of VRRP on each interface on the same firewallcannot keep consistent. That is, the traditional VRRP cannot achieve VRRP state consistence of the Eudemon.

Even if the VRRP states are consistent, when state switchover happens, the session table generated on the master is not backed up on the backup. Therefore, services are also interrupted.

To overcome these disadvantages, Huawei develops the VGMP and HRP.

This document is very well done

Excellent Post

Useful document, thanks