cancel
Showing results for 
Search instead for 
Did you mean: 

MAG geographic clustering/HA possible?

SOLVED
Jeroen Bismans_
Occasional Contributor

MAG geographic clustering/HA possible?

Dear forum,

 

We have two data centers in two different locations that are connected with a layer 2 link.

Would it be possible to do active/active HA between one box in one datacenter and one box in another datacenter?

 

What are the requirements to do this?

  • Latency?
  • Layer 2/Layer 3 link?
  • Multicast traffic?
  • Do the WAN/LAN IP ranges need to be in the same IP range?
    I'm not sure if each data center will have the same IP range.
    Without the same IP range failover will most likely be not possible?


What exactly would be synced concerning configuration?

I would have one sign-in URL pointing to one data center and one sign-in URL pointing to another data center.

For example: dc1.company.com and dc2.company.com, each a different public IP.

 

Or am I over complicating things and should I make each box stand-alone?

 

All advice is welcome!

1 ACCEPTED SOLUTION

Accepted Solutions
kalagesan_
Super Contributor

Re: MAG geographic clustering/HA possible?


Hi Jeroen Bismans ,

 

I understand your requirement.

 

WAN clustering is not supported on the MAG Series Junos Pulse Gateways, except as it relates to campus networks. In a well-connected campus network, where the connectivity is more LAN-like than WAN-like, the Junos Pulse Gateways can be clustered in separate buildings.

 

this information is documented in SA admin guide in page# 23

 

You can use below URL to access the information about WAN cluster not supported: refer page#23

 

http://www.juniper.net/techpubs/en_US/sa8.0/information-products/topic-collections/junos-pulse-secur...

 

Clustering MAG devices are supported on the LAN; but rarely on the WAN. The reason for this is that WAN connections are often the source of sporadic latency and reduced bandwidth that will almost certainly interfere with cluster communication; regardless of whether it is for MAG devices or the previous generation SA devices.

In a well connected environment, in which latency remains low and available bandwidth remains high, the ability for each device to fully communicate without pause is preserved and clustered systems should not get confused over which system should own potentially tens of thousands of live user sessions. The nodes regularly communicate session, configuration, and timestamp information and any interruptions and loss of communications will impact cluster nodes, when attempting to recover.

It is this LAN or campus network class of service that must be displayed in both the design and delivery, if maximum uptime is indeed the goal, as WAN circuits tend to become congested, when remote access is required.

For high latency connections between cluster nodes, to maintain configurations between multiple systems across the WAN, the Push Config feature is the recommended approach.

 

The best network for Active-Active cluster connectivity of nodes is a LAN-Type or campus network with extremely low latency and high bandwidth.

 

Other good practices for an Active-Active cluster, when latency is high are as follows:

Note: Disabling session and last access sync will cause users to re-authenticate, when connecting to other nodes of the same cluster.

 

Disable log sync

Disable session sync

Disable last access syn


Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

 

Regards,

Kannan

View solution in original post

5 REPLIES 5
kalagesan_
Super Contributor

Re: MAG geographic clustering/HA possible?


Hi Jeroen Bismans ,

 

I understand your requirement.

 

WAN clustering is not supported on the MAG Series Junos Pulse Gateways, except as it relates to campus networks. In a well-connected campus network, where the connectivity is more LAN-like than WAN-like, the Junos Pulse Gateways can be clustered in separate buildings.

 

this information is documented in SA admin guide in page# 23

 

You can use below URL to access the information about WAN cluster not supported: refer page#23

 

http://www.juniper.net/techpubs/en_US/sa8.0/information-products/topic-collections/junos-pulse-secur...

 

Clustering MAG devices are supported on the LAN; but rarely on the WAN. The reason for this is that WAN connections are often the source of sporadic latency and reduced bandwidth that will almost certainly interfere with cluster communication; regardless of whether it is for MAG devices or the previous generation SA devices.

In a well connected environment, in which latency remains low and available bandwidth remains high, the ability for each device to fully communicate without pause is preserved and clustered systems should not get confused over which system should own potentially tens of thousands of live user sessions. The nodes regularly communicate session, configuration, and timestamp information and any interruptions and loss of communications will impact cluster nodes, when attempting to recover.

It is this LAN or campus network class of service that must be displayed in both the design and delivery, if maximum uptime is indeed the goal, as WAN circuits tend to become congested, when remote access is required.

For high latency connections between cluster nodes, to maintain configurations between multiple systems across the WAN, the Push Config feature is the recommended approach.

 

The best network for Active-Active cluster connectivity of nodes is a LAN-Type or campus network with extremely low latency and high bandwidth.

 

Other good practices for an Active-Active cluster, when latency is high are as follows:

Note: Disabling session and last access sync will cause users to re-authenticate, when connecting to other nodes of the same cluster.

 

Disable log sync

Disable session sync

Disable last access syn


Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

 

Regards,

Kannan

View solution in original post

Jeroen Bismans_
Occasional Contributor

Re: MAG geographic clustering/HA possible?

Wow! Thank you for that very detailed response!

 

I indeed saw that document you are refering to but I misinterpreted the data.

The WAN/LAN clustering I thought had something to do with the Wan / Lan interface being used.

For example if you have a two armed setup, that the cluster communication can be done over the LAN interfaces but not over the WAN interfaces.

So that has nothing to do with it?

 

It means that the connectivity has to be LAN-like, like 100mbit+ full duplex 1-5 ms latency.
So an MPLS like connection will probably be not sufficent.

 

What is your estimate from what point it is doable?

 

Raveen_
Regular Contributor

Re: MAG geographic clustering/HA possible?

Hello Jereon

 

As Kannan explained previously, WAN clustering is not supported irrespective of the ports configured.

Yes, bandwidth and latency has to be LAN like performance.

 

However, to answer your question on MPLS network:

 

In my experience, I have seen customers successfully establishing clustering over dedicated leased line and also over MPLS network. It might work wihtout issues! But if you encounter any problem, then official statement from Juniper would be it is an unsupported scenario, as this kinda setup is neither tested nor recommended by Juniper.

 

Hope this clarifies!

 

Regards,

Raveen

Jeroen Bismans_
Occasional Contributor

Re: MAG geographic clustering/HA possible?

Thank you both for your help and fast responses!

 

I gave you both the kudos you deserve!

kalagesan_
Super Contributor

Re: MAG geographic clustering/HA possible?

Hi Jeroen,

 

I am glad that our suggestions help you, thank you.

 

Regards,

Kannan