Hi Can internal port be connected to a different swtich so that when one switch fails, other switch can provide connectivity? Or the internal ports must be connected tot he same switch? Thanks, ... View more

I did the following to login successfully. Network Connect loaded fine. 1. Reset Safari. Safari menu -> Reset Safari_ 2. Open Java Preference (Applications - Utilities) and check 'Enable apple plug-in and Web Start Applications._ I hope this is helpful... ... View more

Update: I have removed SA2 and it is at a new location. SA1 is still active/passive cluster and I will remove it from the cluster soon and assign the VIP addresses to internal and external interfaces. Can changing the IP address of the interfaces be done remotely? Or do I need to have access to the console port? My concern is that I will lose remote access and I will have to be near the device physically. I am assuming that after changing the internal IP address and click 'Save', I will lose the connection. Can I reconnect using the new IP address? Thanks, ... View more

A couple of more questions. 1. When the SA2 joins the cluster, the configuration will be copied from the SA1. Will this erase the new IP address of the network interfaces? on page 881 of the adminguide, it says, 'existing node-specific settings are erased when an IVE joins a cluster'. My concern is that I will not be able to access the SA2 remotely after the SA2 joins the cluster since it will erase the inside interface IP address. Does this mean I have to physically next to the SA2 in order to change the IP address back? 2. in active/active, when the SA1 goes down, will connected users be statefully failover to the SA2? Or will they need to reconnect? Thanks, ... View more

I think I am getting to the point where I feel comfortable to go ahead with the changes. I was going to move the SA2 to a new data center after upgrading IVE to the latest version while IVEs are active/passive. However I was asked to move the SA2 as soon as I can before the IVE upgrade._ I suppose I can upgrade IVEs after removing them from the A/P cluster Here are the steps I will take and I hope I got it all correct. 1. Remove the SA2 from A/P cluster and configure it for the new data center, i.e) change IP address of both interfaces, configure DHCP pool for NC clients, default gateway, etc... I understand that I can't connect to this until I create a A/A cluster on the SA1 and make the SA2 a member_ 2. Remove the SA1 from A/P cluster which will eliminates the cluster. Changes the IP address of inside and outside to VIP addresses so that it continues to provide services to clients. I suppose reboot is not required. At this point, the SA1 is the standalone device. Would changes, e.g.) user accounts and NC access policies, made to the SA1 while standalone will be copied to the SA2 when I create A/A cluster and make the SA2 a member?_ 3. Once required information is entered on the GTM and necessary DNS changes are made, then I can create A/A cluster._ Would creating a A/A cluster cause an outage? Some additional questions. 4. Would the device certificate remain installed on both SA1 and SA2 when I remove them from the cluster? 5. I would have to recreate User Record Synchronization since there are IP address changes to both devices.Should I remove it before removing them from A/P cluster?_ Thanks, ... View more

Thanks again for the information. I have been assigned to other tasks last two weeks so I could not post. Questions, ... View more

Thank you for your detailed response and this is very helpful. Obviously I have follow-up questions. 1) I donÕt know why admin guide version 7.0 page 887 and the article KB3179 has a diagram showing as if a/a cluster requires a VIP. So you are saying DNS Name, https://vpn.company.com will point to the external IP addresses of both devices. In this case, SA1 will be contacted first and SA2 will be in failover mode. 2) In the first step, you stated that Ôremove both the active (SA1) and passive (SA2) from the A/P clusterÕ. Instead of removing both, can I just remove the SA2 only so that the SA1 continue to provide service? While the SA1 provide continued services, I can physically move the SA2 to the new data center, the location is about 40 minute drive from where the SA2 is currently located. So far, there is no outage. 3) Once the SA2 is ready at the new data center, can I use the external IP address to test the login to the SA, instead of creating a DNS entry as you mentioned? Same for the SA1, can I use the IP address to test? 4) Once the test is successful, I can go ahead with configuring A/A clustering on SA1 and add the SA2 to the cluster configuration. The DNS name, https://vpn.company.com is pointing to cluster VIP say, 199.199.199.199 in A/S configuration, Can I assign the IP address, 199.199.199.199 to the external interface of the SA1 so that I donÕt have to change the DNS name to point to a different IP address. If I assign 199.199.199.100 to the external interface of the SA2, then I will have to update the DNS name to point to the new IP address, 199.199.199.100. Thanks ... View more

The project, converting active/passive to active/active is back, on again. To recap, the primary purpose of the conversion using F5 Big-IP GTM is to provide redundancy/failover. We have 2 SAs in an active/passive cluster in a data center. A passive SA will be moved to a new data center. So if one data center is not available or resources are not reachable I the data center, the GTM will direct incoming requests to available data center. I believe this requires cluster VIP and cluster hostname must be entered into the GTM. The article KB3179 on page 3 displays a diagram shows that cluster VIP and hostname. Here is my plan to configure them as active/passive cluster. I would appreciated if you let me know if I am missing steps or wrong. Shutdown the passive device and keep the active intact in order to continue to service requests. Move it over to a new data center. Change 1) IP addresses for both inside and outside interfaces 2) DHCP IP Pool 3) Static routes 4) cluster type Ð may have to recreate a cluster with active/active Test the device at the new data center using the GTM. To test I guess I will have to assign a cluster IP address to the GTM and the GTM directs requests to the new data center only. Question Ð can the cluster IP address can be in the same subnet as outside interface of the SA? Once the test is successful, then I will schedule an outage to configure the remaining device. 1) change the cluster type Ð joint the active/active cluster created on the SA in the new data center 2) have DNS hostname to point to the new cluster IP. Can you explain what the difference is DNS load balancing vs. geographic load balancing? You mentioned that you don't recommend the DNS load balancing because it is inconsistent with Network Connect. How do I avoid doing DNS load balancing? Thanks, ... View more

We will not have interfaces in the same subnet after the migration. Each data center will have unique IP addresses. The currently A/P shares NC pool but we will have two NC pool, one pool each data center and static route in default gateway points to internal VIP. It appears that we will not need internal VIP in A/A cluster. However, it seems we will have to enter external cluster VIP and cluster hostname in our load balancer. Donald ... View more

Thanks for your response. Currently we have extended VLANS across data centers so each interfaces are in the same subnet. I have found that we have a BIG-IP GTM from F5 and I was told that the IP addresses of the external interfaces of both devices must be entered into the GTM. I also think that hostname/URL and VIP must be entered as well? Here is what I plan to do for the move and correct me if I am wrong or missing something. I think we can avoid downtime/outage until two devices are ready for active/active cluster configuration. 1) SA-6500 that will be moved is not active and break the cluster. Bring it offline. Call this device Node 2 2) The other node, called Node 1, will continue to provide service as a single node. Therefore no outage ----------The following are steps to configure the Node 2 and test the connection using External Load Balancer------------ 3)Bring the Node 2 online in the new data center 4)Configure Node 2 network settings such as IP addresses, DHCP IP Pool, hostname, etc... 5) Enter external IP address and VIP into the load balancer 6)Test the connection from Internet thru load balancer using VIP. 7)If the test is successful, schedule downtime for active/active cluster setup. 8)During the setup, hostname/url and the Node 1 external IP address will be entered to the load balancer Hopefully these are all the steps are needed to configure active/active cluster. Thanks, ... View more

Please correct me if I am wrong. Here SA1 is a lone device in active/passive cluster. I am scheduled to change the IP address of internal and external IP address of the SA1. While I change the IP addresses,Can I create active/active cluster even though an external load balancer is not ready? For instance, when a user enters company.vpn.com, which resolves to the IP address of the external interface of SA1, then I don't whey the user can't connect. Later when the load balancer is ready, DNS team can make changes so the company.vpn.com directed to the load balancer instead of the SA1. Am I on the right path? Thanks ... View more

Great. thanks, so I don't have to travel to the site to make IP changes. I will definitely do that ... View more