SSL VPN
Reply
Contributor
lapluk
Posts: 69
Registered: ‎08-01-2011
0

active/passive config question

Hi,

 

i have a question about clustering. i have two sa's configured with internal interface only and natted on firewall.

 

sa-1 - 10.10.1.100

sa-2 - 10.10.1.102

 

i woudl like to configure active/pasive failover

 

so i created cluseter, both members are active.

 

to configure it i need to assign vip ip  - so 10.10.1.200

 

then i reconfigured nat on firewall (for vip ip) and it's not working (cant telnet to https port)

 

is it right way to configure it

?

 

thanks

Moderator
SHKM
Posts: 122
Registered: ‎03-13-2008
0

Re: active/passive config question

Hi,

 

       If you configure NAT for one of the SA IPs (not the VIP) are you able to connect to SA UI via https using natted ip?

 

Thanks,

Suresh

Contributor
lapluk
Posts: 69
Registered: ‎08-01-2011
0

Re: active/passive config question

yes

 

 

when nat is configured for 10.10.1.100 - i can access external ip address and log in.

 

 

 

Recognized Expert
MattS
Posts: 205
Registered: ‎11-06-2007
0

Re: active/passive config question

 

If you have an A/P cluster configured with a VIP address, can you ping and connect to the VIP IP from the internal network, i.e. avoiding the NAT?

 

If that works OK, can you ping through the NAT address to the VIP?

 

It might be that another device is configured for the VIP address so the connections are not arriving at the SA.  TCPdumping on the Active member should show is any traffic is arriving and what the SA is responding with.

 

 

Contributor
lapluk
Posts: 69
Registered: ‎08-01-2011
0

Re: active/passive config question

when a/p is configured i can ping vip ip address from internal

 

 

i can't ping natted ip because only https is permited

 

 

i can catch traffic to see hits

Recognized Expert
MattS
Posts: 205
Registered: ‎11-06-2007
0

Re: active/passive config question

Is the Active SA responding to the requests to the VIP address?  Are there any routes on the SA that might effect the communication?

Super Contributor
srigelsford
Posts: 203
Registered: ‎04-14-2008
0

Re: active/passive config question

Pop source NAT on your firewall rule too to rule out any routing getting back to outside of your firewall. It sounds as though this is the likely cause.

Moderator
zanyterp
Posts: 2,263
Registered: ‎11-19-2007
0

Re: active/passive config question

Is there anything doing proxy arp? While I haven't seen thus specific issue with that, this will cause disruptions in the cluster
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.