cancel
Showing results for 
Search instead for 
Did you mean: 

Multi-site clusters

SOLVED
Highlighted
Occasional Contributor

Multi-site clusters

Does anyone know if multi-site clusters (A/A obviously) are supported outside of SA6500's, or has anyone done such a deployment?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Frequent Contributor

Re: Multi-site clusters

We are running a MultiSite cluster with two SA4000's. It works great. I belive you must configure them as Active/Active, but we have had no problems. The replication across the WAN (15ms) has not bee a problem. you will need to use some sort of Dynamic DNS system to load balance/failover. (We used F5 3DNS in the past and now out-source) I often see myself connected to one box for my RDP session, but host checker reports back to the other box.

-Stephen

View solution in original post

6 REPLIES 6
Highlighted
Valued Contributor

Re: Multi-site clusters

No - only SA6500 supports more than 2 boxes.

Highlighted
Occasional Contributor

Re: Multi-site clusters

I'm not talking multi-unit clusters (more than 2), but multi-site clusters where 2 units are installed in physically separate locations with independent IP information.

The SA-Series HA Clustering datasheet lists the following as features:

¥ Multi-unit clusters and cluster pairs for HA and redundancy across the LAN

- Cluster pairs supported on SA2500 and SA4500

- Multi-unit cluster or cluster pairs supported on SA6500
¥ Multi-site clusters for HA and redundancy across the WAN

From that list one would assume that multi-site clusters are an option for all SA appliances, but wording in the document text says:

In addition, multi-site clusters allow the SA6500 SSL VPN Appliance to be deployed at different locations and even on different IP subnets, while maintaining state information by synching over the WAN and operating on a single usage license.

I couldn't find documentation clearly stating whether or not multi-site clusters are supported on all SA appliances or just the SA6500.

Highlighted
Frequent Contributor

Re: Multi-site clusters

We are running a MultiSite cluster with two SA4000's. It works great. I belive you must configure them as Active/Active, but we have had no problems. The replication across the WAN (15ms) has not bee a problem. you will need to use some sort of Dynamic DNS system to load balance/failover. (We used F5 3DNS in the past and now out-source) I often see myself connected to one box for my RDP session, but host checker reports back to the other box.

-Stephen

View solution in original post

Highlighted
Occasional Contributor

Re: Multi-site clusters

That's good to hear. Is each box on a different WAN & LAN subnet (and not on a shared network, bridged between sites)? Have you tested failover with uninterrupted user connectivity?

Thanks,

Andrew

Highlighted
Frequent Contributor

Re: Multi-site clusters

We initially tested some basic failover functionality (web bookmarks) and IIRC it worked just fine. For the first couple years we ran in a Failover mode and the seconday box never got used. As the user count got higher, we went to a Round Robin mode so both boxes share the load.

If you are doing NetConnect, it will not failover properly since you will need to define two differnt DHCP ranges, one for each server. I would assume anything else that is a constant connection (RDP/CItrix/ probalby anything SAM based) would probably drop and require the end user to recconnect. Shouldn't log them out of the SSL-VPN, just potentially the application.

We do have the servers on different LAN segments, so they have no direct connection between them. They have 500miles, an OC3 and 4 routers between them on the LAN side. Different ISPs on the WAN side.

-Stephen

Highlighted
Occasional Contributor

Re: Multi-site clusters

Thanks for all the info. Limitations around failover all sound reasonable. I'm happy to hear that multi-site is possible for any cluster pair in A/A.