High Availability on Vyatta Cluster Routers

I came across an odd little issue recently when configuring a first hop redundancy with two Vyatta routers.In high availability mechanism such as VRRP and clustering routers, traffic can be successfully forwarded over a backup system if the primary system fails; however, the Vyatta router lacks a technology for sharing a firewall between two or more Active-Active routers. If you are using two Vyatta routers on your network, one of the routers has to be on standby mode until the other router goes out of work.

Other routers like Cisco create a temporary opening in access-list at firewall interface, This openning allows the returning traffic (that would normally be blocked) and an additional data channel to enter your internal network back through the firewall. The traffic is permitted back through the firewall only if it is part of the same session as the original traffic that triggered the Cisco IOS when exiting via the firewall. This process is accomplished by what is known as Stateful Switch Over (SSO).

Recently, I had an issue for which i needed to have two Vyatta routers to be completely redundant, Each router is connected to a diffrent ISPs and they both function well when only one router is being active at any given time i couldn't have both routers to be completely redundant using VRRP because, the Vyatta routers can't share their firewalls with each other, The only work around to this issue is to make a topology change as a whole.

This is a full description of the current topology setups, . R1 is connected to ISP1 and R2 is connected to ISP2 , Because R1 has higher priority on the VRRP interface it has the upper hand for all user requests as it goes out to the internet from the internal network, When the traffic returns it may or may not choose the same router to return the request traffic as different aeoutonomous systems have differnt access to different websites. Several minutes after I make both routers active, users start complaining about the slowness of the internet or even no connectivity in some cases.

It took me a few hours to pin point the problem, What's happening was the request traffic was going out on R1 then ISP1 but the response was trying to come via ISP2 then R2, and when the response gets to R2 the Vyatta routers will by default block the traffic even if the packet is part of the same session. This is because, Vyatta routers doesn't have a way to share firewalls between two or more high available routers to pass the coming traffic, so the default behavior is simply to block the traffic. (Below Picture shows how the router only sends out the traffic but gets no response)

What i did to solve the issue was to change the topology to a full mesh, by connecting R1 to ISP2 with an eBGP neighbor relationship and I configure MED (multi-exit descriminator), on that link, I did analogous change with R2 as well, so that R1's request can only go back to R1 and R2's request go back to R2.

(Below picture shows the topology change)

After the BGP-MED configuration, the newtowrk was functioning properly.(Below picture shows how the traffic goes out and gets a response)