Currently we have SA 6500 in a active/standby cluster and they are located in a different data centers. We are planning to move one from a data center to a new data center and change the cluster type to active/active
I understand that an external load balancer is required to setup active/active cluster. I have a list of things that would be impacted by the change and I would appreciated if someone can provide some insights to questions below. Also if I miss any thing, please let me know.
Solved! Go to Solution.
Before starting anything, take backups of the user and system configuration on both systems.
(1) This sounds correct.
(2) I'd reboot any time I change addresses on a device. Maybe not necessary, but it gives me peace of mind at very little cost. Changes made to SA1 while it is standalone will be copied onto SA2 when it enters the cluster.
(3) I can't think of any reason creating the A/A cluster would cause an outage.
(4) I think so. It should definitely stay on SA1. Just in case, you can always import it from the system configuration you backed up at the start of the process.
(5) I have no experience with user record synchronization, so I can't answer this question.
Please correct me if I am wrong.
Here SA1 is a lone device in active/passive cluster. I am scheduled to change the IP address of internal and external IP address of the SA1.
While I change the IP addresses,Can I create active/active cluster even though an external load balancer is not ready?
For instance, when a user enters company.vpn.com, which resolves to the IP address of the external interface of SA1, then I don't whey the user can't connect.
Later when the load balancer is ready, DNS team can make changes so the company.vpn.com directed to the load balancer instead of the SA1.
Am I on the right path?
I'm a little confused how you have an active/passive (if that is what you mean by active/standby) cluster spread over two data centers, since that requires that both devices be on the same subnet.
The whole question of a load-balancer for active/active clusters is a complex issue. You can't use a layer 2 load-balancer because the devices are not on the same subnet. Juniper recommends against load-balancing via DNS, at least round-robin - if your DNS load-balancer can consistently resolve a name for a specific user to the address of only one of the two device in the cluster, you'll be OK.
To (try to) answer your questions -
Hope this has been useful. I'm much more of an expert on clustering than I want to be.
Thanks for your response.
Currently we have extended VLANS across data centers so each interfaces are in the same subnet.
I have found that we have a BIG-IP GTM from F5 and I was told that the IP addresses of the external interfaces of both devices must be entered into the GTM. I also think that hostname/URL and VIP must be entered as well?
Here is what I plan to do for the move and correct me if I am wrong or missing something.
I think we can avoid downtime/outage until two devices are ready for active/active cluster configuration.
1) SA-6500 that will be moved is not active and break the cluster. Bring it offline. Call this device Node 2
2) The other node, called Node 1, will continue to provide service as a single node. Therefore no outage
----------The following are steps to configure the Node 2 and test the connection using External Load Balancer------------
3)Bring the Node 2 online in the new data center
4)Configure Node 2 network settings such as IP addresses, DHCP IP Pool, hostname, etc...
5) Enter external IP address and VIP into the load balancer
6)Test the connection from Internet thru load balancer using VIP.
7)If the test is successful, schedule downtime for active/active cluster setup.
8)During the setup, hostname/url and the Node 1 external IP address will be entered to the load balancer
Hopefully these are all the steps are needed to configure active/active cluster.
If all the interfaces of both devices will be in the same subnet, you could continue to run an active/passive cluster. I'd recommend that you check with Juniper to (1) ensure that an A/P cluster will work with the amount of delay you would have in your internal network between the data centers and (2) if so, what timing parameters should you change.
If you still want to run active/active, the process to do so depends on how your A/P cluster is now configured. To help you with your process, I'd need to know how your NC pools are allocated and routed.
Let em know how you want to proceed, and I can probably help with a process. I've spent a lot of time on this topic recently.
We will not have interfaces in the same subnet after the migration. Each data center will have unique IP addresses.
The currently A/P shares NC pool but we will have two NC pool, one pool each data center and static route in default gateway points to internal VIP.
It appears that we will not need internal VIP in A/A cluster. However, it seems we will have to enter external cluster VIP and
cluster hostname in our load balancer.
When you convert to an A/A cluster, the internal and external VIPs will disappear, and only the native interfaces will matter. So your static routes should be changed to point to the native interfaces of the devices.
You should not do load-balancing using a GTM. DNS load-balancing is inconsistent with Network Connect. The problem with load-balancing via DNS is that there is no way to implement persistence in a DNS load-balancing scenario. There is a Juniper KB article on this - maybe I can find the number for you.
If you want to do failover using the GTM, that would be fine - or, if you want to do geographic load-balancing using it, that's OK, too. You need to avoid any configuration which would have the DNS resolution for a user change after they log in to the SA.
Since the GTM is effectively a DNS server, it will need to know the external addresses of both of your SA devices, and also the server name in the URL.
You dont need to reinstall licenses if you are moving one node.
You need to ofcourse do it during maintenance window and get IP information changed for the node which is moved.
The project, converting active/passive to active/active is back, on again.
To recap, the primary purpose of the conversion using F5 Big-IP GTM is to provide redundancy/failover. We have 2 SAs in an active/passive cluster in a data center. A passive SA will be moved to a new data center. So if one data center is not available or resources are not reachable I the data center, the GTM will direct incoming requests to available data center. I believe this requires cluster VIP and cluster hostname must be entered into the GTM. The article KB3179 on page 3 displays a diagram shows that cluster VIP and hostname.
Here is my plan to configure them as active/passive cluster. I would appreciated if you let me know if I am missing steps or wrong.
Can you explain what the difference is DNS load balancing vs. geographic load balancing? You mentioned that you don't recommend the DNS load balancing because it is inconsistent with Network Connect. How do I avoid doing DNS load balancing?