Contents

Synchronizing AMF Security

Quick Tour > Synchronizing AMF Security

---

---

By preparing two AT-VST-APLs and synchronizing the AMF Security authentication data (authentication database), you can add redundancy to the network control.

In a synchronized environment, one AMF Security system is called primary and the other is called secondary where the database on the primary is copied to the secondary.
The settings are for both primary and secondary AMF Security. In the Database Synchronization Node Settings dialog, specify the IP Address of both AMF Security and select whether it is primary or secondary.

The following data is synchronized.

• Device
  
• UnAuth Group
  
• Tag
  
• Switches
  
• Security Policies
  
  • Network
    
  • Location
    
  • Schedule
    
  • Action
    
• Account Group
  

Note

The Device > Active Device List page and Switches > Active OpenFlow Switch List page show the live information retrieved from OpenFlow Switches managed by AMF Security. Therefore, the information displayed on those pages may differ between the primary and secondary's web interfaces.

Note

AMF Application Proxy Whitelist does not support redundant AMF Security configuration.

Note

When an OpenFlow packet control flow (flow entry) is updated, such as when an authenticated node moves to another port, multiple logs indicating that the flow entry has been deleted may be recorded. However, it does not affect the authentication behavior.

Note

Database synchronization settings are not included in the file exported (downloaded) on the System Settings > System Information page. Therefore, after importing the system settings file, set the database synchronization again.

Note

Both systems must synchronize their clocks with the same NTP Server. The NTP Server is set on the AT-VST-APL setting page. For more information, refer to the AT-VST-APL document posted on our website.
Also, the timezone of both systems must have the same settings.

Note

If the system time is changed by a certain amount after synchronization started, there may be a case where the authentication data cannot be changed any further.
If it happens, disable synchronization on both systems, adjust system clocks correctly, then enable synchronization again.

Prerequisites for Synchronization

The following requirements must be met to synchronize two AMF Security systems.

• Uses two AT-VST-APLs. The AT-VST-APL used for the secondary only supports the use of the AMF Security application. Therefore, it is necessary to stop all but the AMF Security application on the AT-VST-APL setting page.
  For how to stop the application with AT-VST-APL, refer to the AT-VST-APL document posted on our website.
  
  
• The two AT-VST-APL and AMF Security used for synchronization must be connected to the IPv4 segment that can communicate with each other.
  
  
• Those interfaces can be the same as the ones for connecting OpenFlow Switches (i.e. ports acting as control plane port and a management port).
  
  
• Both systems must have the same system settings. That's because the system settings are not synchronized.
  
  
• Both systems must synchronize their clocks with the same NTP server. Also, the timezone of both systems must have the same settings.
  

In addition to those, Allied Telesis recommends you to implement the following configurations to devices in the network.

• Configure OpenFlow Switches to use both systems as OpenFlow controllers.
  If OpenFlow Switches are using only one OpenFlow controller, the information displayed on the Device > Active Device List and the Switches > Active OpenFlow Switch List pages may differ between the primary and secondary systems.
  
  
• Configure applications interacting with AMF Security to send syslog or trap messages to both AMF Security systems.
  If the applications are configured to send messages to only one of two AMF Security systems, application actions won't be updated correctly when one of the synchronized systems fails.
  
  If the applications do not support multiple IP Addresses to which they send notifications, you can lower the possibility that actions are not updated properly by setting "Syslog Forwarding Destination Hosts" and "SNMP Trap Forwarding Destination Hosts" on the System Settings > Trap Monitor Settings page.
  

Configuring Synchronization

Set up database synchronization on the device used first as the secondary device and then on the device used as the primary device.

Note

Allied Telesis recommends you to download authentication data on both systems for backup before configuring synchronization.

1. Make sure that both AMF Security systems can communicate with each other.
   
   
2. Display the System Settings > Network Settings page with AMF Security used on the secondary. Click the "Enable" button of the Database Synchronization item.
   

   

   
   
3. The "Database Synchronization Node Settings" dialog is displayed.
   

   

   
   
4. Enter "Local IPv4 Address" and "Peer IPv4 Address" and click the "Enable as Secondary" button.
   

   

   
   
5. Click the "OK" button.
   

   

   Note

   After clicking the "OK" button, do not operate the Web setting screen until the message in step 6 is displayed.
   It may take about 30 seconds to display the message.

   
   
6. After the message is displayed, AMF Security restarts, so log in again.
   

   

   
   
7. After logging in, the System Settings > Network Settings page is displayed. Confirm that the settings have been reflected in the "Database Synchronization" item.
   (At this point, Peer's "State" item is displayed as "Down" because the primary setting has not been made.)
   

   

Since you set "Enable as Secondary" on the page of step 4, set "Enable as Primary" in another AMF Security.

After synchronization, when you log in to the AMF Security web setting screen, follow the host name in the upper right of the screen, such as "manager@sesc / Syncing (Primary)", "manager@sesc / Syncing (Secondary)", The synchronization status is displayed.
You can also see the similar information on the System Settings > System Information page's "Database Synchronization" field.

When Synchronization Fails

When synchronization fails for some reason, the systems respond in the following manner.

• When the primary fails (e.g. power outage) and only the secondary remains operational, the secondary is automatically promoted to the primary and takes over the roles as the OpenFlow controller.
  
  
• When the synchronization link (communication) is lost while the primary and the secondary are operational, both systems act as the primary (after the secondary is automatically promoted to the primary) and perform the OpenFlow controller role. In this case, both systems make decisions using the same information unless configurations are changed through web interfaces or only one of the two receives syslog or SNMP trap messages.
  
  
• When the secondary fails, the primary continues its role as the OpenFlow controller.
  

When Synchronization Recovers

When synchronization recovers from a failure, the promoted primary system (ex-secondary) continues to act as the primary.

In case that the secondary fails and then recovers, roles are not changed before and after the failure.

When the synchronization link (communication) was lost while the primary and the secondary were operational and then the link was recovered, there may be a case where the systems exchanged the role of the primary and the secondary.
If you replace one of the systems with a new hardware, synchronization might not restart.

The procedure for recovering if synchronization cannot be resumed is shown below.

Note

If you replace one of the synchronized AMF Security systems, you have to configure the new system to have the same System Settings as the old one.

When a device failure occurs and AMF Security is newly replaced

Follow the steps below to recover.

1. On the AMF Security settings page that is operating as the primary, display the System Settings > System Information page.
   
   
2. Click the "Export" button of the Authentication Data item to download the authentication data.
   
   
3. Open the System Settings > Network Settings page.
   
   
4. Click the "Disable" button in the Database Synchronization item.
   
   
5. Click the "OK" button.
   

   Note

   After clicking the "OK" button, do not operate the Web setting screen until the message "The network settings have been updated. You are logged out after 30 seconds to reflect the settings." is displayed.
   It may take about 30 seconds to display the message.

   
   
6. Re-configure synchronization on both systems by following the steps described in Quick Tour/ Synchronizing AMF Security > Configuring Synchronization.
   

   Note

   Authentication Data on the primary system could be deleted during synchronization.

   
   
7. Once you reconfigured the synchronization, Go to the System Settings > System Information page on the primary system.
   
   
8. Click the "Import" button for the Authentication Data item to open the "Upload Authentication Data" dialog.
   
   
9. Click the "Choose File" button, select the authentication data (CSV format) downloaded in step 2, and click the "Submit" button.
   

Now you have restored synchronization.

When only the link (communication) for synchronization or route disconnection is restored after interruption, and synchronization cannot be resumed

Check the status of the two AMF Security units, and click the "Reconnect" button of "Database Sync" on the System Settings > Network Settings page to recover.
Check the synchronization status with each AMF Security for the following two points.

• Status of "Local" and "Peer" in the "Database synchronization" item on the System Settings > Network Settings page
  
  

  

• Status of "Authentication Data" on the System Settings > System Information page
  

  

When "Local" in the "Database Synchronization" item is displayed as "Down"

Follow the steps below to recover.

1. Open the System Settings > Network Settings page on AMF Security where "Local" in the "Database Sync" item is displayed as "Down".
   
   
2. Click the "Recconect" button in the Database Synchronization item.
   
   
3. The "Database Synchronization Node Settings" dialog is displayed.
   
   
4. Click the "Enable as Secondary" button.
   
   
5. Click the "OK" button.
   

   Note

   After clicking the "OK" button, do not operate the Web setting screen until the message "The network settings have been updated. You are logged out after 30 seconds to reflect the settings." is displayed.
   It may take about 30 seconds to display the message.

   
   
6. After the message is displayed, AMF Security restarts, so log in again.
   
   
7. After logging in, the System Settings > Network Settings page is displayed. Confirm that the display of the "Database Synchronization" item is as follows.
   

   

   
   
8. Open the System Settings > Network Settings page on the other AMF Security.
   
   
9. Click the "Recconect" button in the Database Synchronization item.
   
   
10. The "Database Synchronization Node Settings" dialog is displayed.
    
    
11. Click the "Enable as Primary" button.
    
    
12. Click the "OK" button.
    

    Note

    After clicking the "OK" button, do not operate the Web setting screen until the message "The network settings have been updated. You are logged out after 30 seconds to reflect the settings." is displayed.
    It may take about 30 seconds to display the message.

    
    
13. After the message is displayed, AMF Security restarts, so log in again.
    
    
14. After logging in, the System Settings > Network Settings page is displayed. Confirm that the display of the "Database Synchronization" item is as follows.
    

    

Now you have restored synchronization.

When the status of "Authentication Data" is displayed as "Synchronization time-out of authentication database."

Follow the steps below to recover.

1. Open the System Settings > Network Settings page on AMF Security where is not displayed as "Synchronization time-out of authentication database."
   
   

   Note

   Note that this is an operation on the AMF Security side that does not display "Synchronization time-out of authentication database."

   
   
2. Click the "Recconect" button in the Database Synchronization item.
   
   
3. The "Database Synchronization Node Settings" dialog is displayed.
   
   
4. Click the "Enable as Secondary" button.
   
   
5. Click the "OK" button.
   

   Note

   After clicking the "OK" button, do not operate the Web setting screen until the message "The network settings have been updated. You are logged out after 30 seconds to reflect the settings." is displayed.
   It may take about 30 seconds to display the message.

   
   
6. After the message is displayed, AMF Security restarts, so log in again.
   
   
7. After logging in, the System Settings > Network Settings page is displayed. Confirm that the display of the "Database Synchronization" item is as follows.
   

   

   
   
8. Open the System Settings > Network Settings page on the other AMF Security.
   
   
9. Click the "Recconect" button in the Database Synchronization item.
   
   
10. The "Database Synchronization Node Settings" dialog is displayed.
    
    
11. Click the "Enable as Primary" button.
    
    
12. Click the "OK" button.
    

    Note

    After clicking the "OK" button, do not operate the Web setting screen until the message "The network settings have been updated. You are logged out after 30 seconds to reflect the settings." is displayed.
    It may take about 30 seconds to display the message.

    
    
13. After the message is displayed, AMF Security restarts, so log in again.
    
    
14. After logging in, the System Settings > Network Settings page is displayed. Confirm that the display of the "Database Synchronization" item is as follows.
    

    

    
    
15. Open the System Settings > System Information page.
    
    
16. Confirm that the size and update date and time are displayed in the "Authentication Data" item.
    

    

Now you have restored synchronization.

When swapping Primary and Secondary

The overall procedure is to disable Synchronization configuration and then reconfigure them.

1. On the AMF Security settings page that is operating as the primary, display the System Settings > System Information page.
   
   
2. Click the "Export" button of the Authentication Data item to download the authentication data.
   
   
3. Open the System Settings > Network Settings page on the current secondary's management web interface.
   
   
4. Click the "Disable" button in the Database Synchronization item.
   
   
5. Click the "OK" button.
   

   Note

   After clicking the "OK" button, do not operate the Web setting screen until the message "The network settings have been updated. You are logged out after 30 seconds to reflect the settings." is displayed.
   It may take about 30 seconds to display the message.

   
   
6. Open the System Settings > Network Settings page on the current primary's management web interface.
   
   
7. Click the "Disable" button in the Database Synchronization item.
   
   
8. Click the "OK" button.
   

   Note

   After clicking the "OK" button, do not operate the Web setting screen until the message "The network settings have been updated. You are logged out after 30 seconds to reflect the settings." is displayed.
   It may take about 30 seconds to display the message.

   
   
9. Re-configure synchronization on both systems by following the steps described in Quick Tour/Synchronizing AMF Security > Configuring Synchronization.
   

The procedure for swapping the primary and secondary is complete.

Disable Configuring Synchronization

Take the following procedures when you disabe Configuring Synchronization for upgrading the version.

1. Display the System Settings > Network Settings page with AMF Security used on the secondary. Click the "Disabled" button of the Database Synchronization item.
   
   
2. Click the "OK" button.
   

   Note

   After clicking the "OK" button, do not operate the Web setting screen until the message "The network settings have been updated. You are logged out after 30 seconds to reflect the settings." is displayed.
   It may take about 30 seconds to display the message.

   
   
3. Open the System Settings > Network Settings page of the AMF Security that is running as the primary. Make sure that "Peer" in the "Database Synchronization" item is "Down".
   

   Note

   It takes about 30 seconds to 1 minute after performing step 2.

   
   
4. Display the System Settings > Network Settings page with AMF Security used on the primary. Click the "Disabled" button of the Database Synchronization item.
   
   
5. Click the "OK" button.
   

   Note

   After clicking the "OK" button, do not operate the Web setting screen until the message "The network settings have been updated. You are logged out after 30 seconds to reflect the settings." is displayed.
   It may take about 30 seconds to display the message.

Steps to stop and start AMF Security

Take the following procedures when you stop and start a synchronized system for maintenance.

Steps to stop the AMF Security application

1. On the AMF Security management page of the device operating as the secondary, click the "Stop" button to stop the AMF Security application.
   
   For how to stop the application with AT-VST-APL, refer to the AT-VST-APL document posted on our website.
   
   
2. Open the System Settings > Network Settings page of the AMF Security that is running as the primary. Make sure that "Peer" in the "Database Synchronization" item is "Down".
   
   

   Note

   It might take one to one and a half minutes for the log message to appear after performing the step 1.

   
   
3. Shutdown the secondary system with the same procedure as the step 1.
   

Steps to start the AMF Security application

1. On the AMF Security management page of the device operating as the primary, click the "Start" button to stop the AMF Security application.
   
   For how to start the application with AT-VST-APL, refer to the AT-VST-APL document posted on our website.
   
   
2. Open the System Settings > Network Settings page of the AMF Security that was running as the primary. Make sure that "Local" in the "Database Synchronization" item is "Primary".
   
   

   Note

   It might take one to one and a half minutes for the log message to appear after performing the step 1.

   
   
3. Shutdown the secondary system with the same procedure as the step 1.
   

---

(C) 2023 Allied Telesis, Inc. All rights reserved.

C613-04150-00 Rev A

19 Apr 2023 14:12