cancel
Showing results for 
Search instead for 
Did you mean: 

SSL VPN Clustering over WAN non-layer2

r.joe.nelson_
New Contributor

SSL VPN Clustering over WAN non-layer2

Hi All

Im wondering if anyone has ever configured or if Juniper support clustering over a WAN using two 6500 devices. All documentation refers to the a VIP on the external interface and a VIP on the internal interface being passed between the two devices. This indicates a layer2 configuration where devices A has IP of 10.1.1.1 device B has 10.1.1.2 and VIP being 10.1.1.4.

Can clustering be configured using layer3. i.e device in datacentre1 has IP of 10.1.1.2 device in datacentre 2 has IP of 20.1.1.2 ?

Note I have a gig dark fiber between datacenters so im able to either use layer2 or layer3 however layer2 presents issues for routing traffic from internal interfaces to WAN and back as we have a firewall between internal interface and wan any asymmetric routing issues on a firewall are treated as spoof packets and dropped by the firewall.

Thanks in advance

5 REPLIES 5
AJA_
Frequent Contributor

Re: SSL VPN Clustering over WAN non-layer2

Hello,

Hope you are doing well.

SSL VPN supports 2 types of clustering:

1) Active / Passive

2) Active / Active

In Active / Passive cluster, one node is active all the time and the secondary node is just passively listening and will takeover the active sessions when the primary node is down / not reachable. Only 2 nodes can participate in this cluster.

In Active / Active cluster, more than 2 nodes can participate and in this cluster, all the nodes are listening and serving users with connectivity to the resource on the SSL VPN devices - All the sessions which are directed to these SSL VPN devices in this cluster are decided by the Load Balancer.

NOTE:

Active / Active cluster may solve your purpose.

Please go through the below document and check if that helps you.

http://www.juniper.net/techpubs/software/ive/guides/howtos/How_To_IVE_Cluster.pdf

Hope the above helps you

Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks

r.joe.nelson_
New Contributor

Re: SSL VPN Clustering over WAN non-layer2

Hi Thanks for the reply

Iv read through all the information the Juniper information the issue I have is the layer2 clustering. We are have 2x6500 devices and global load balancers so we are able to loadbalanced across the Internet (WAN) to both external addresses.

The issue I have is routing on the internal side. ASCII example

Global Load balanced

Internet IP 62.1.1.1 6500 | Internet IP 62.2.2.2 6500

----------------------------------------------------|------------------------------------------------

Firewall | Firewall

---------------------------------------------------- |------------------------------------------------

Layer2 802.1q

SA External interface 10.10.10.1 | SA External interface 10.10.10.2

-----------------------------------------------------|------------------------------------------------

SA Internal interface 20.20.20.1/28 | SA Internal interface 20.20.20.2/28

Layer2 802.1q

-----------------------------------------------------|------------------------------------------------

Firewall | Firewall

-----------------------------------------------------|------------------------------------------------

WAN router DC1 30.30.30.1 | WAN router DC2 40.40.40.1

---------------------------------------------------- |--------------------------------------------------

________________________ LAN clients___________________________

On the WAN router in DC1 I have to advertise the IP address range of the Internal interface of the SA6500

20.20.20.0/28 route via 30.30.30.1

On the WAN router in DC2 I have to advertise the IP address range of the Internal interface of the SA6500

20.20.20.0/28 route via 40.40.40.1

The issue is you cannot route to the same IP address range in this case "20.20.20.0/28" through two different routes this causes asymmetric routing issues. However I know I could route as such

WAN router DC1 20.20.20.1/32 route via 30.30.30.1 meaning to access 20.20.20.1 which is always in DC1 do via WAN router 30.30.30.1 and the same for WAN router DC2 20.20.20.2/32 access via 40.40.40.1 meaning DC2 SA traffic would always go via DC2 WAN so this is good for an Active Active SA6500 approach Active Standbye with a VIP would never work across a WAN as the "single virtual IP address would move between two devices causing asymmetric routing issues. However this fix only allows us to use the SA in IVE mode i.e proxy.

Once I introduce network connect and DHCP addressing I have a huge issue as I need to advertise the DHCP client addresses out of both DC1 WAN and DC2 WAN routers.

Hope this makes sense.

Regards

michael.saw_
Regular Contributor

Re: SSL VPN Clustering over WAN non-layer2

Can a pair of Juniper SSL VPN devices support Cluster over WAN?
zanyterp_
Respected Contributor

Re: SSL VPN Clustering over WAN non-layer2

active/active, yes, as long as there is very low-latency (the info should be available in the admin guide)

SF_Dan_
Frequent Contributor

Re: SSL VPN Clustering over WAN non-layer2

yes. I have 3 6500 appliances clustered actve/active and they are located in sepereate states. As zanyterp mention latency does need to be very low or you will have issues

 

Thanks,

 

Dan