Showing results for 
Search instead for 
Did you mean: 

SSL VPN Clustering over WAN non-layer2

New Contributor

SSL VPN Clustering over WAN non-layer2

Hi All

Im wondering if anyone has ever configured or if Juniper support clustering over a WAN using two 6500 devices. All documentation refers to the a VIP on the external interface and a VIP on the internal interface being passed between the two devices. This indicates a layer2 configuration where devices A has IP of device B has and VIP being

Can clustering be configured using layer3. i.e device in datacentre1 has IP of device in datacentre 2 has IP of ?

Note I have a gig dark fiber between datacenters so im able to either use layer2 or layer3 however layer2 presents issues for routing traffic from internal interfaces to WAN and back as we have a firewall between internal interface and wan any asymmetric routing issues on a firewall are treated as spoof packets and dropped by the firewall.

Thanks in advance

Frequent Contributor

Re: SSL VPN Clustering over WAN non-layer2


Hope you are doing well.

SSL VPN supports 2 types of clustering:

1) Active / Passive

2) Active / Active

In Active / Passive cluster, one node is active all the time and the secondary node is just passively listening and will takeover the active sessions when the primary node is down / not reachable. Only 2 nodes can participate in this cluster.

In Active / Active cluster, more than 2 nodes can participate and in this cluster, all the nodes are listening and serving users with connectivity to the resource on the SSL VPN devices - All the sessions which are directed to these SSL VPN devices in this cluster are decided by the Load Balancer.


Active / Active cluster may solve your purpose.

Please go through the below document and check if that helps you.

Hope the above helps you

Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks

New Contributor

Re: SSL VPN Clustering over WAN non-layer2

Hi Thanks for the reply

Iv read through all the information the Juniper information the issue I have is the layer2 clustering. We are have 2x6500 devices and global load balancers so we are able to loadbalanced across the Internet (WAN) to both external addresses.

The issue I have is routing on the internal side. ASCII example

Global Load balanced

Internet IP 6500 | Internet IP 6500


Firewall | Firewall

---------------------------------------------------- |------------------------------------------------

Layer2 802.1q

SA External interface | SA External interface


SA Internal interface | SA Internal interface

Layer2 802.1q


Firewall | Firewall


WAN router DC1 | WAN router DC2

---------------------------------------------------- |--------------------------------------------------

________________________ LAN clients___________________________

On the WAN router in DC1 I have to advertise the IP address range of the Internal interface of the SA6500 route via

On the WAN router in DC2 I have to advertise the IP address range of the Internal interface of the SA6500 route via

The issue is you cannot route to the same IP address range in this case "" through two different routes this causes asymmetric routing issues. However I know I could route as such

WAN router DC1 route via meaning to access which is always in DC1 do via WAN router and the same for WAN router DC2 access via meaning DC2 SA traffic would always go via DC2 WAN so this is good for an Active Active SA6500 approach Active Standbye with a VIP would never work across a WAN as the "single virtual IP address would move between two devices causing asymmetric routing issues. However this fix only allows us to use the SA in IVE mode i.e proxy.

Once I introduce network connect and DHCP addressing I have a huge issue as I need to advertise the DHCP client addresses out of both DC1 WAN and DC2 WAN routers.

Hope this makes sense.


Regular Contributor

Re: SSL VPN Clustering over WAN non-layer2

Can a pair of Juniper SSL VPN devices support Cluster over WAN?
Respected Contributor

Re: SSL VPN Clustering over WAN non-layer2

active/active, yes, as long as there is very low-latency (the info should be available in the admin guide)

Frequent Contributor

Re: SSL VPN Clustering over WAN non-layer2

yes. I have 3 6500 appliances clustered actve/active and they are located in sepereate states. As zanyterp mention latency does need to be very low or you will have issues