02-28-2012 12:12 AM
i have a question about clustering. i have two sa's configured with internal interface only and natted on firewall.
sa-1 - 10.10.1.100
sa-2 - 10.10.1.102
i woudl like to configure active/pasive failover
so i created cluseter, both members are active.
to configure it i need to assign vip ip - so 10.10.1.200
then i reconfigured nat on firewall (for vip ip) and it's not working (cant telnet to https port)
is it right way to configure it
02-29-2012 02:37 AM
If you have an A/P cluster configured with a VIP address, can you ping and connect to the VIP IP from the internal network, i.e. avoiding the NAT?
If that works OK, can you ping through the NAT address to the VIP?
It might be that another device is configured for the VIP address so the connections are not arriving at the SA. TCPdumping on the Active member should show is any traffic is arriving and what the SA is responding with.