Re: active/passive config question

lapluk_ · ‎02-28-2012

Hi,

i have a question about clustering. i have two sa's configured with internal interface only and natted on firewall.

sa-1 - 10.10.1.100

sa-2 - 10.10.1.102

i woudl like to configure active/pasive failover

so i created cluseter, both members are active.

to configure it i need to assign vip ip - so 10.10.1.200

then i reconfigured nat on firewall (for vip ip) and it's not working (cant telnet to https port)

is it right way to configure it

?

thanks

SHKM_ · ‎02-28-2012

Hi,

If you configure NAT for one of the SA IPs (not the VIP) are you able to connect to SA UI via https using natted ip?

Thanks,

Suresh

lapluk_ · ‎02-28-2012

yes

when nat is configured for 10.10.1.100 - i can access external ip address and log in.

MattS_ · ‎02-29-2012

If you have an A/P cluster configured with a VIP address, can you ping and connect to the VIP IP from the internal network, i.e. avoiding the NAT?

If that works OK, can you ping through the NAT address to the VIP?

It might be that another device is configured for the VIP address so the connections are not arriving at the SA. TCPdumping on the Active member should show is any traffic is arriving and what the SA is responding with.

lapluk_ · ‎02-29-2012

when a/p is configured i can ping vip ip address from internal

i can't ping natted ip because only https is permited

i can catch traffic to see hits

MattS_ · ‎02-29-2012

Is the Active SA responding to the requests to the VIP address? Are there any routes on the SA that might effect the communication?

srigelsford_ · ‎02-29-2012

Pop source NAT on your firewall rule too to rule out any routing getting back to outside of your firewall. It sounds as though this is the likely cause.

zanyterp_ · ‎02-29-2012

Is there anything doing proxy arp? While I haven't seen thus specific issue with that, this will cause disruptions in the cluster