Showing results for 
Search instead for 
Did you mean: 

Creating active/passive cluster on SA6000


Creating active/passive cluster on SA6000

I'm looking to change our active/active cluster to an active/passive cluster on a pair of SA 6000 appliances. I've been maintaining our current Juniper SSLVPN environment for a few years but, I didn't initially setup the environment. I think I understand how to do this properly, but wanted some feedback from the community if possible.

Currently, our appliances have the internal ports connected to our internal network, external ports connected to DMZ. From the DMZ, we've NATed to our external-facing IPs. We weren't using the management ports with this setup.

With active/passive clustering, I understand that I need an internal virtual IP and an external (in our case DMZ) virtual IP. I also planned on turning on the management ports for each of the two SA 6000 appliances.

As I see things I will need 5 IP addresses for Internal connections, 3 IP for DMZ connections and 1 IP external:

internal 1

internal management 1

internal 2

internal management 2

internal virtual ip for cluster

dmz 1

dmz 2

dmz virtual ip for cluster

external ip to nat to virtual dmz ip

One thing I'm not sure about is the virtual addresses. Am I supposed to set DNS to the virtual IP for the cluster and let the cluster do the routing based on my active/passive settings? I assume that's how things will work. On the other hand, I can see needing to set DNS for the internal and external IPs and the virtual ips for the cluster only handle cluster traffic (nothing is routed to those addresses.)

I hope this makes sense, because I had a hard time finding detailed documentation about how these devices handle clustering.

If anyone needs clarification, I'll provide it! Thanks!

Super Contributor

Re: Creating active/passive cluster on SA6000

in active passive the VIP is moved to the primary and the 2ndary just sits there. So you got everything correct in your setup. The external VIP is the only one that needs a public NAT. The internal or external all user traffic should come in via the VIP.

Re: Creating active/passive cluster on SA6000

Thanks for the reply. I had my downtime to rebuild the cluster (and make quite a few other changes.) Everything went well and the cluster is setup active/passive now. The only issue I see (I have a ticket open) is users are trickling into the passive appliance still. Out of about 300 concurrent maybe 8-10 are on the passive appliance. Have you or has anyone seen this happen?
Regular Contributor

Re: Creating active/passive cluster on SA6000

We had a problem with users connecting to the passive appliance. It turned out during an outage the helpdesk had told them to connect to the IP address of the actual appliance.They had not reverted back to the DNS name so they always connected to the same appliance regardless of the cluster status.
Occasional Contributor

Re: Creating active/passive cluster on SA6000

Users connecting to the VIP should only be passed to the active node in the cluster. It does sound as though some users have bookmared the IP address of the passive node and as such are hitting it.

Is there any infomration from the log files what IP address the handful of users are coming from? May be you could identify them from that and then ask themto use the VIP.

The only other option would be if the DNS name has not been updated properly, or users are pointing to a name that still directs to the Passive nodes IP.