Share via


1.3.4 Fast Failover

This extension reduces the time required for a client to restore an IPsec security association (SA) to the virtual IP address for a cluster of hosts after a failure on one of the hosts that is sharing the virtual IP address.

The client uses a "Vid-Initial-Contact" vendor ID payload (see section 1.7, Capability Negotiation) to signal to the cluster that it does not have any main mode security association (MM SA) or quick mode security association (QM SA) established with the cluster so that the IKE session can be reallocated to a different node within the cluster. The server uses an "NLBS_PRESENT" vendor ID payload (see section 1.7, Capability Negotiation) to indicate to the client that the client is to use a shorter quick mode idle timer. In this way, a new QM SA is renegotiated faster if a failover occurs.

For more information about clusters based on virtual IP addresses, see [MSFT-WLBS]. For specifications, see sections 3.5 and 3.6.