Great. thanks, so I don't have to travel to the site to make IP changes.

Please correct me if I am wrong.

Here SA1 is a lone device in active/passive cluster. I am scheduled to change the IP address of internal and external IP address of the SA1.

While I change the IP addresses,Can I create active/active cluster even though an external load balancer is not ready?

For instance, when a user enters company.vpn.com, which resolves to the IP address of the external interface of SA1, then I don't whey the user can't connect.

Later when the load balancer is ready, DNS team can make changes so the company.vpn.com directed to the load balancer instead of the SA1.

Am I on the right path?

Thanks

I'm a little confused how you have an active/passive (if that is what you mean by active/standby) cluster spread over two data centers, since that requires that both devices be on the same subnet.

The whole question of a load-balancer for active/active clusters is a complex issue. You can't use a layer 2 load-balancer because the devices are not on the same subnet. Juniper recommends against load-balancing via DNS, at least round-robin - if your DNS load-balancer can consistently resolve a name for a specific user to the address of only one of the two device in the cluster, you'll be OK.

To (try to) answer your questions -

• A public certificate - do I need to export and import on the load balancer? Only if the load-balancer is doing some sort of redirect. A standard L2 load-balancer like a BIG-IP merely redirect the traffic and does not terminate the SSL session.
• Licenses - Existing cluster license for active/standby will work? Yes
• IP address pool - node 1 and node 2 will have a different IP pool and I wonder how a user connected to node 1 will be Statefully failover to node 2 since the nodes assign a different IP addresses. Or stateful failover is not supported at all? Stateful failover is not supported in an active/active cluster for NC users, for just the reason you mention, and maybe some others
• Default routes - default route will be automatically configured if new IP addresses are assigned? If the users restart NC after the failover, yes
• Will this cause an outage/downtime? Yes
• Is there a documentation for the change? I could not find in KB and admin guide does not provide much on this topic I recommend you break your cluster entirely (de-configure clustering) and then rebuild the cluster as an active/active cluster. If you are moving one of the devices at the same time, you will of course need to configure that device on its new subnet before rebuilding the cluster.

Hope this has been useful. I'm much more of an expert on clustering than I want to be.

Ken

Thanks for your response.

Currently we have extended VLANS across data centers so each interfaces are in the same subnet.

I have found that we have a BIG-IP GTM from F5 and I was told that the IP addresses of the external interfaces of both devices must be entered into the GTM. I also think that hostname/URL and VIP must be entered as well?

Here is what I plan to do for the move and correct me if I am wrong or missing something.

I think we can avoid downtime/outage until two devices are ready for active/active cluster configuration.

1) SA-6500 that will be moved is not active and break the cluster. Bring it offline. Call this device Node 2

2) The other node, called Node 1, will continue to provide service as a single node. Therefore no outage

----------The following are steps to configure the Node 2 and test the connection using External Load Balancer------------

3)Bring the Node 2 online in the new data center

4)Configure Node 2 network settings such as IP addresses, DHCP IP Pool, hostname, etc...

5) Enter external IP address and VIP into the load balancer

6)Test the connection from Internet thru load balancer using VIP.

7)If the test is successful, schedule downtime for active/active cluster setup.

8)During the setup, hostname/url and the Node 1 external IP address will be entered to the load balancer

Hopefully these are all the steps are needed to configure active/active cluster.

Thanks,

If all the interfaces of both devices will be in the same subnet, you could continue to run an active/passive cluster. I'd recommend that you check with Juniper to (1) ensure that an A/P cluster will work with the amount of delay you would have in your internal network between the data centers and (2) if so, what timing parameters should you change.

If you still want to run active/active, the process to do so depends on how your A/P cluster is now configured. To help you with your process, I'd need to know how your NC pools are allocated and routed.

• Do you share address pools between your active and passive nodes, or does each machine have its own pools?
• If you use static routes in your default gateway routers, do they route to the internal interface of the SA or to the internal VIP?

Let em know how you want to proceed, and I can probably help with a process. I've spent a lot of time on this topic recently.

Ken

We will not have interfaces in the same subnet after the migration. Each data center will have unique IP addresses.

The currently A/P shares NC pool but we will have two NC pool, one pool each data center and static route in default gateway points to internal VIP.

It appears that we will not need internal VIP in A/A cluster. However, it seems we will have to enter external cluster VIP and

cluster hostname in our load balancer.

Donald

When you convert to an A/A cluster, the internal and external VIPs will disappear, and only the native interfaces will matter. So your static routes should be changed to point to the native interfaces of the devices.

You should not do load-balancing using a GTM. DNS load-balancing is inconsistent with Network Connect. The problem with load-balancing via DNS is that there is no way to implement persistence in a DNS load-balancing scenario. There is a Juniper KB article on this - maybe I can find the number for you.

If you want to do failover using the GTM, that would be fine - or, if you want to do geographic load-balancing using it, that's OK, too. You need to avoid any configuration which would have the DNS resolution for a user change after they log in to the SA.

Since the GTM is effectively a DNS server, it will need to know the external addresses of both of your SA devices, and also the server name in the URL.

Ken

You dont need to reinstall licenses if you are moving one node.

You need to ofcourse do it during maintenance window and get IP information changed for the node which is moved.

The project, converting active/passive to active/active is back, on again.

To recap, the primary purpose of the conversion using F5 Big-IP GTM is to provide redundancy/failover. We have 2 SAs in an active/passive cluster in a data center. A passive SA will be moved to a new data center. So if one data center is not available or resources are not reachable I the data center, the GTM will direct incoming requests to available data center. I believe this requires cluster VIP and cluster hostname must be entered into the GTM. The article KB3179 on page 3 displays a diagram shows that cluster VIP and hostname.

Here is my plan to configure them as active/passive cluster. I would appreciated if you let me know if I am missing steps or wrong.

1. Shutdown the passive device and keep the active intact in order to continue to service requests. Move it over to a new data center. Change 1) IP addresses for both inside and outside interfaces 2) DHCP IP Pool 3) Static routes 4) cluster type Ð may have to recreate a cluster with active/active
2. Test the device at the new data center using the GTM. To test I guess I will have to assign a cluster IP address to the GTM and the GTM directs requests to the new data center only. Question Ð can the cluster IP address can be in the same subnet as outside interface of the SA?
3. Once the test is successful, then I will schedule an outage to configure the remaining device. 1) change the cluster type Ð joint the active/active cluster created on the SA in the new data center 2) have DNS hostname to point to the new cluster IP.

Can you explain what the difference is DNS load balancing vs. geographic load balancing? You mentioned that you don't recommend the DNS load balancing because it is inconsistent with Network Connect. How do I avoid doing DNS load balancing?

Thanks,