Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

What is Intrinsic Network High Availability (INHA)?

    • Updated:
    • 27 Aug 2019
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint TPS All
    • TippingPoint Virtual TPS All
    • Platform:
Intrinsic Network High Availability (INHA)  also known as "Layer 2 Fallback" (L2FB), determines how the IPS device manages traffic on each segment in the event of a system failure. When the system fails, the device goes into Layer-2 Fallback mode and either permits or blocks all traffic on each segment, depending on the L2FB action setting for the segment. When the device is in L2FB mode, any traffic allowed through the device will not be inspected; it simply passes through the device.

User-added image

A lack of reported errors or congestion through the TSE does not guarantee that the components receive correct and error-free traffic. The INHA monitors the TSE for several points of failure and applies failure detection logic against the system. All components for the INHA are checked for failure. The IPS device performs the following checks to detect a failed condition and trigger a Layer-2 Fallback:

Check back-pressurePresence of back-pressure indicates packets are queued for processing. It indicates failure if it does not process packets.
Determine traffic requirementsIf the IPS does not pass traffic, the ability to detect a failed TSE is more difficult. A minimum rate of traffic must pass through the IPS for best TSE-failure detection.
Handle non-atomic nature of the data pathPackets pass through each component at different times and rates. The status of each component is determined independently of each other. INHA uses sampling to determine if the TSE is healthy.
Check and transmit the inbound receive countersEach component has received counters incremented by packets received from the previous component. The component transmits these counters incremented as packets to the next component. These counters are the most accurate and most complicated way of detecting TSE health.
Dropped packets exceed the thresholdIf too many packets awaiting deep inspection are queued up, packets will be dropped.
Memory lowsIf available system memory is too low for proper operations.
Various chip set errorsRepresents possible hardware problems.

Each component also has a specific set of functions for failure checking. You can view and configure the Layer-2 Fallback behavior for each segment from the Network Segments page (Network > Segments). The default setting for each segment is to permit all traffic. This setting is usually preferred by service providers because it prevents a device outage from becoming a network outage. However, for greater security, you may want to change the default the Layer-2 Fallback setting to block all to guarantee that no uninspected traffic enters the network. You can view and manually change the current INHA state (normal or Layer-2 Fallback) from the High Availability menu page (System>High Availability).

User-added image User-added image 
User-added image
Configure; Troubleshoot; Deploy
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.