I'm looking to change our active/active cluster to an active/passive cluster on a pair of SA 6000 appliances. I've been maintaining our current Juniper SSLVPN environment for a few years but, I didn't initially setup the environment. I think I understand how to do this properly, but wanted some feedback from the community if possible.
Currently, our appliances have the internal ports connected to our internal network, external ports connected to DMZ. From the DMZ, we've NATed to our external-facing IPs. We weren't using the management ports with this setup.
With active/passive clustering, I understand that I need an internal virtual IP and an external (in our case DMZ) virtual IP. I also planned on turning on the management ports for each of the two SA 6000 appliances.
As I see things I will need 5 IP addresses for Internal connections, 3 IP for DMZ connections and 1 IP external:
internal management 1
internal management 2
internal virtual ip for cluster
dmz virtual ip for cluster
external ip to nat to virtual dmz ip
One thing I'm not sure about is the virtual addresses. Am I supposed to set DNS to the virtual IP for the cluster and let the cluster do the routing based on my active/passive settings? I assume that's how things will work. On the other hand, I can see needing to set DNS for the internal and external IPs and the virtual ips for the cluster only handle cluster traffic (nothing is routed to those addresses.)
I hope this makes sense, because I had a hard time finding detailed documentation about how these devices handle clustering.
If anyone needs clarification, I'll provide it! Thanks!
Users connecting to the VIP should only be passed to the active node in the cluster. It does sound as though some users have bookmared the IP address of the passive node and as such are hitting it.
Is there any infomration from the log files what IP address the handful of users are coming from? May be you could identify them from that and then ask themto use the VIP.
The only other option would be if the DNS name has not been updated properly, or users are pointing to a name that still directs to the Passive nodes IP.