How to Properly Cluster 2 Devices?

  • OK so here is our setup, we have 2 Juniper SA2500 devices called SSLVPN1 and SSLVPN2.  One of them is on our local network here in the building with a 172.16 IP and is the only one actively used by anybody, and the other is on the network in our co-location offsite with a 192.168 IP and is only for backup/testing thus far.  They both have the same configs except of course 2 different hostnames and 2 different IPs internal and external and they both work.  Meaning I can to to and login fine and and login fine as always.

    My boss is wanting us to look at clustering them for failover but kind of confused on how this works.  What we are wanting and I’m not sure if this is actually how it works, is when the users go the to external site to login it of course hits our SSLVPN1 box here, but if this box for some reason goes down we would still want it to work for them if they go to that same site but it’s actually hitting the 2nd SSLVPN2 box.  My first thought was to simply setup a 2nd external DNS record for SSLVPN1 but point it to the external IP of the 2nd backup box.  However I have done similar things before and always find that when you have 2 records with the same name but for different IPs the clients seem to randomly hit one or the other.  Meaning if we did this I’m pretty sure we’d start seeing clients resolve SSLVPN1 to that 2nd box maybe because it responded quicker or something which is not want we want simply because we don’t really have that many users so I’m not interested in having clustering for performance reason.  We really only want it to be for failover in case SSLVPN1 goes down.  Also I know because of DNS caching on the client end, even if we had it setup like this and SSLVPN1 went down, people would still have that SSLVPN1 record cached to the first box that is no longer responding at the time and they wouldn’t even try hitting that 2nd box so they’d be calling into helpdesk anyway and negate the point of even having this all setup anyway.

    My thinking is I would rather just tell everybody “Hey if for some reason you ever find that you cannot access then we have a backup so just use”.  We could always still use clustering I guess just so that the configs and users stay the same between the 2 but we have so few users using this (probably less than 150) I could simply just remember to add new users or make changes on both if we ever need to so I don’t see the point of going through all this hassle of clustering.

    Sorry for rambling and I hope this makes sense.  Could somebody please just tell me is there something I’m not thinking of to make it work how my boss wants it to or do you also agree with my thinking of just telling people hey we have a backup?

  • Yes, really easy.
    But i think i would stay on two devices seperated if possible.
    So you can easily test new IVE releases without headache…
    If your primary IVE sytem failes, you can change the ip of your second device handish and reload your IVE config backups.

    The only advantage of cluster ist the “automatism”.
    Anyway - it runs really nice and stable, i simply love it.

  • Thanks for the info.  I read up on how to set it up for active/passive and I see basically it then uses a virtual IP that works for both of them internally if one fails it auto fails over, that’s exactly what he was wanting.  Guess we’ll give it a a shot, thanks!

  • For Clustering, you need cluster license.
    You can use active/passive or active/active scenario.
    We use active/passive and it works fine, very easy to configure, just some mouse clicks.
    If cluster is moving often from one node to the other without a cause, increase arp ping timeout value on network interfaces tab.

    On active/active scenario, you need external loadbalancer.

    Thats the only clustering that makes sense - playing around with dns records is not good. You also will not have same config/userrecords etc on both machines if they dont synchronize config automatically between them

    If you build a cluster, you wont have the second IvE system for testings anymore, i think your method with two seperate IvEs with two dns names is nice - if the primary ive failes, users have to go manually to the other node. But hey - when does an IVE ever fail? There are thousands of IVE Clusters inthe world, and i bet that 95% of the backup node is NEVER used. 🙂