cancel
Showing results for 
Search instead for 
Did you mean: 

SSL VPN CLUSTER Question

SOLVED
Regular Contributor

SSL VPN CLUSTER Question

Hi

I have one SSL VPN box with two leg implementation with one internal and one external IP. I would like to add another SSL VPN box to form a cluster.

My question is that:

1- In order to add secondary box to cluster either via console or web:

-Should it have cluster license already present?

-Should we need to configure both internal and external IP? or we can configure after adding in to cluster?

2- After making the succussful cluster,

-If master fails then cluster switch to secondary. What about preemption I mean if previous master comes back

then it again retains the master role or not?

-When secondary box beocmes the master then it will also make the machine account on AD or it uses the existing

SSL VPN account on AD as made by primary SSL VPN box to athenticate and authorize the user?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Frequent Contributor

Re: SSL VPN CLUSTER Question

1) Yes, cluster license should already be present on the second node.
Since your primary has both internal and external configured, during cluster formation the secondary node must have internal and external interface configured as well.
2) Preemption would not occur, the node which owns the VIP will continue to own
each SA device will have individual machine account on the AD.v

< please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus J thanks >

View solution in original post

13 REPLIES 13
Respected Contributor

Re: SSL VPN CLUSTER Question

Yes, in order to complete the cluster join from the second node, you need the cluster license installed. without that, or on 7.1 and later, you will not be able to join the cluster.

Occasional Contributor

Re: SSL VPN CLUSTER Question

What if the cluster license has already been installed on the secondary IVE (to be added)? Will this cause a problem?
Regular Contributor

Re: SSL VPN CLUSTER Question

Hi

Some one here????

Frequent Contributor

Re: SSL VPN CLUSTER Question

1) Yes, cluster license should already be present on the second node.
Since your primary has both internal and external configured, during cluster formation the secondary node must have internal and external interface configured as well.
2) Preemption would not occur, the node which owns the VIP will continue to own
each SA device will have individual machine account on the AD.v

< please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus J thanks >

View solution in original post

Regular Contributor

Re: SSL VPN CLUSTER Question

Dear

Thanks for your reply. I just to ask two questions:

1- You said cluster license and internal, external IP should be configured on seondary box before it join to the primary box. My question is that if we are adding the seondary box to the cluster via serial console and its factory default then it will ask the internal/external IP and license ??? OR we can configure the seocndary box with license, internal/external IP and then add to the cluster via web console?

2- The primary box has the machine account on AD. After cluster formation:

- Could I change the machine account of primary ssl vpn on AD? what I need to do this?

- When cluster fail overs to secondary box then this box automatically make the account on AD?

Many thanks

Frequent Contributor

Re: SSL VPN CLUSTER Question

1) Via console you can add internal IP, external IP, but cant add license. Once you configure the internal IP login via admin gui and then add your cluster license.
2) After cluster is formed you can change the AD machine account any time. Goto AD auth server instance and click on view advanced options-> and then change your machine account
Yes, secondary box will automatically make its machine account during cluster failover.
Hope this helps.

@aeroplane wrote:

Dear

Thanks for your reply. I just to ask two questions:

1- You said cluster license and internal, external IP should be configured on seondary box before it join to the primary box. My question is that if we are adding the seondary box to the cluster via serial console and its factory default then it will ask the internal/external IP and license ??? OR we can configure the seocndary box with license, internal/external IP and then add to the cluster via web console?

2- The primary box has the machine account on AD. After cluster formation:

- Could I change the machine account of primary ssl vpn on AD? what I need to do this?

- When cluster fail overs to secondary box then this box automatically make the account on AD?

Many thanks


Valued Contributor

Re: SSL VPN CLUSTER Question

1- You can add the secondary box to the cluster from the web console. Bring the box up - put in license, specify the pertinent information and then add it.

2- When the secondary box takes over it uses the config that was duplicated from the master box. That includes all AD information. You do need to edit any configuration information on the secondary box.

Regular Contributor

Re: SSL VPN CLUSTER Question

Thanks Rakeshb and Kevin for explaination. But in admin guide they said if box is in factory default, you can add it to cluster through serial console but I could not get how come with out putthing the license of cluster (which is only possible through web console) in to the secondary box we could add it in to the cluster through the serial console?

Could you please explain it?

Thanks

Valued Contributor

Re: SSL VPN CLUSTER Question

The initial or primary cluster member must be added through the GUI. A secondary cluster member can indeed be added through the serial port assuming that you have done the necessary install steps to support this on the primary device.

These steps would include putting the secondary cluseter license for that new cluster member onto the primary device. This device will push the license out to the secondary device when it attempts to join.

This works just fine. I have done it more than once. If you have any questions on this - ask away.