cancel
Showing results for 
Search instead for 
Did you mean: 

SA cluster: concentrator uses real IP instead of VIP

ralvez_
Occasional Contributor

SA cluster: concentrator uses real IP instead of VIP

Hello team:

My SSL concentrators are configured as an Active/Passive cluster. I turned on a sniffer to trace a session from the concentrator (the internal interface)  to internal web resources, and found that the Active concentrator innitiates sessions with its real IP instead of the internal VIP.

¿Is this normal behavior? I want to be sure, since I have to configure policies in the firewall located between the SSL concentrator and the internal resources.

Your kind answers will be greatly appreciated.

Best regards, Rogelio

3 REPLIES 3
SHKM_
Frequent Contributor

Re: SA cluster: concentrator uses real IP instead of VIP

Yes, SA use its own local interface ip address to connect to backend resource.

Thanks,

Suresh

spuluka
Super Contributor

Re: SA cluster: concentrator uses real IP instead of VIP

I create a group with all three addresses, the vip and the two physical cluster members.  Then use this to write the rules for access to resources.

The other set of rules you will need is for any address pools you create for network connect or Junos pulse connections.

You will also need a nat enabled internet access rule from these addresses if you do not use split tunnel and force any internet traffic over this link.  These will be from the interface addresses.  This will also be the source address for for any web resources that go to internet servers.





Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV JNCIS-SSL
ACE PanOS 6
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Steve Puluka BSEET - IP Architect - DQE Communications Pittsburgh, PA (Metro-Ethernet & ISP) - http://puluka.com/home
ralvez_
Occasional Contributor

Re: SA cluster: concentrator uses real IP instead of VIP

Hi Suresh:

Thank you very much for your kind answer.

So if there is a firewall between the cluster and the backend resources, my security policies must take into account the IP addresses of both internal interfaces of the cluster devices. ¿Am I right?

TIA, Rogelio