topic Re: HA-system separated with two datacenters in General Topics

HA-system separated with two datacenters

jjormalainen — Tue, 13 Apr 2010 09:28:24 GMT

Man have two datacenters and there are about 15-20km between them. The datacenters are connected by dark fiber with 1Gb bandwidth, is it possible to make HA-system to this setup? I mean so, that one of the PA-unit is in the primary datacenter and another is in the secondary.

--Janne

Re: HA-system separated with two datacenters

jmuniz — Tue, 13 Apr 2010 12:48:18 GMT

Hello Janne,

If you have dark fiber and are carring the vlans associated to the security zones & HA1, HA2 accross the fiber it should work correctly.

Normally the latency at that distance over dark fiber is very low, therefore you should be ok.

What technology will you be using to light the fiber? It should provide you with L1 connectivity between both firewalls effectively as if they were conected across a L2 switch.

From the high availability perspective it might not be optimal becuase if the fiber or equipment to light it fails you will end up in a split brain condition.

Hope this helps, and let us knwo if your testing goes Ok.

Best regards, Jose Muniz

Re: HA-system separated with two datacenters

jjormalainen — Thu, 15 Apr 2010 06:44:14 GMT

Hi Jose,

Thank you for answering. I thought also that latency is not a problem at that distance. When I have tested this, I'll let you know the results, hopefully before summer It depends on the customer.

Br,

--Janne

Re: HA-system separated with two datacenters

mharding — Thu, 22 Apr 2010 15:14:27 GMT

It'll work.

We carry HA-1 and HA-2 across different VLANs, and haven't had a problem yet.

Re: HA-system separated with two data centers

bhelman — Fri, 29 Apr 2011 15:11:50 GMT

This thread is a year old, but I figured I'd try anyway ..

When you say you are carrying HA1/HA2 over two different vlans, I'm assuming you mean you are plugging those ports into switch gear that then goes over some kind of WAN and is reversed on the other side. Since it's plugged in to a switch port, you don't need the cross-over cable. 1) what speed are the ports (I have a pair of PA-4020's and I'm not seeing anything that tells me if they are 10, 100 or 1000)? 2) Did you consider using media converters so the traffic was physically isolated (so a switch reboot due to anything as basic as a config change or code upgrade doesn't break your link)? I don't know that I want to burn off 4 extra strands of fiber, so VLAN's may be the better way to go .. I'm just asking the question.

By the way, it's been a year since you said you haven't had any issues. How has the past year treated you re: the HA over VLAN?

Thanks.

Re: HA-system separated with two data centers

mharding — Fri, 29 Apr 2011 15:19:38 GMT

Everything we have is set to auto. I think the PA-4000 has dedicated HA ports, our PA-2050 we had to designate two ports.

No, we had sucess with carrying other VLANs across that link with no problem. It's nearly been 18 months now. I've only seen HA2 go down once, (HA2 is connected to the dataplane and caries the session table to the other firewall, HA1 is connected to the mangement plane and caries the configs and heartbeat.) but it came right back up. It's generally the fault of the ISP. I'll see a few errors on the interfaces between the core switches.

Re: HA-system separated with two data centers

bhelman — Fri, 29 Apr 2011 15:53:10 GMT

We are building a new data center across the street from the old one (probably 300 yards). Even though that's not a great separation, it's better than using the same room so I'm considering leaving 1 unit in the old data center and moving 1 to the new. I have my own fiber between the buildings, so fiber count is not an issue right now. I think I'm more inclined to use media converters though, just because of the switch-maintenance issue. The problem with that .. I need to figure out the HAx port speeds so I get the right fiber/copper converters (I don't want to buy 100/1000 if I can only use 100, but it sounds to me like 100 is probably overkill for the amount of data anyway).

This is all good information. Thanks!

Re: HA-system separated with two datacenters

jorisVD — Mon, 22 Apr 2013 09:41:25 GMT

Hi,

Are there official specs available from PA regarding speed, latency/distance for an A/P & A/A cluster split over two sites?

Thanks

Joris

Re: HA-system separated with two datacenters

mfro — Mon, 22 Apr 2013 17:46:34 GMT

I would also like to see that spec!

Re: HA-system separated with two datacenters

bhelman — Mon, 22 Apr 2013 18:10:32 GMT

The last I heard, this is not officially supported. However, if one did do it, two pairs of 100Mbs media converters would be the way to go. Hypothetically. You can also throw them into a layer-2 DEDICATED VLAN, if you don't have dedicated fiber between the devices. You need to make sure latency is very low though, or you're going to end up with both FW's going active.