i have a question about clustering. i have two sa's configured with internal interface only and natted on firewall.
sa-1 - 10.10.1.100
sa-2 - 10.10.1.102
i woudl like to configure active/pasive failover
so i created cluseter, both members are active.
to configure it i need to assign vip ip - so 10.10.1.200
then i reconfigured nat on firewall (for vip ip) and it's not working (cant telnet to https port)
is it right way to configure it
If you configure NAT for one of the SA IPs (not the VIP) are you able to connect to SA UI via https using natted ip?
when nat is configured for 10.10.1.100 - i can access external ip address and log in.
If you have an A/P cluster configured with a VIP address, can you ping and connect to the VIP IP from the internal network, i.e. avoiding the NAT?
If that works OK, can you ping through the NAT address to the VIP?
It might be that another device is configured for the VIP address so the connections are not arriving at the SA. TCPdumping on the Active member should show is any traffic is arriving and what the SA is responding with.
when a/p is configured i can ping vip ip address from internal
i can't ping natted ip because only https is permited
i can catch traffic to see hits
Is the Active SA responding to the requests to the VIP address? Are there any routes on the SA that might effect the communication?
Pop source NAT on your firewall rule too to rule out any routing getting back to outside of your firewall. It sounds as though this is the likely cause.