Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

A/P HA with more than 1 passive unit

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

A/P HA with more than 1 passive unit

L2 Linker

Hi,

We have a customer looking to extend their DR capability to a 2nd physical site (Site B).

Currently they have 2 PAN 3050 firewalls in an A/P cluster at Site A. As the new site will be connected via fibre we will split the cluster across both sites.

Site B will very much be a cold standby site with no production load under normal conditions.

We would like to still maintain PAN device redundancy at Site A.

  • Is it possible to leave the existing cluster as is at Site A, and add a 3rd unit to the cluster at Site B?
  • How would this be achieved (using spare ports on the dataplane)?
  • Is it recommended/not recommended?
  • What other considerations should we be aware of?
  • How would this impact on "split brain" type scenarios of the link between the sites was lost?

Appreciate any answers, feedback and personal experience in this type of scenario.

Cheers,

Shannon

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi Shannon,

This is currently not supported but we do have a feature request for it. You can mention FR 1043 to your sales/system engineer. He/She can vote on your behalf. Hope this helps. Thank you.

View solution in original post

7 REPLIES 7

L5 Sessionator

Hi Shannon,

This is currently not supported but we do have a feature request for it. You can mention FR 1043 to your sales/system engineer. He/She can vote on your behalf. Hope this helps. Thank you.

L5 Sessionator

Shannon-Rowe

I don't think you cannot have three units as a part of cluster.

I will suggest running OSPF with the route SiteB as a lower metric, so in case SiteA goes down it fails over to SIteB

Hope it helps !

L6 Presenter

Hi Shannon,

As Samir suggest as of now its not possible to add third unit in HA.

Would it be possible to provide us rough network dia. That way we might be able to suggest any other work around.

Regards,

Hardik Shah

Hi,

Thanks for your answers. A very high level, sanitized diagram below. Ideally we would have 2 units at the production datacentre.

Is it possible to have an independent unit at the standby unit, and somehow script regular config restores to the standby datacentre; this would also require having all dataplane interfaces shutdown, and could get messy, I realise, just want to explore all options.

Thanks,

Shannon

DR Diagrams v0.2.jpg

Hi Shannon,

How would you use one more firewall in "standby Data center".

1. What routing functinoality it will do?

2. When it should be active?

3. What traffic it will pass.

Regards,

Hardik Shah

1. What routing functionality it will do? - The intent would be for it to be another passive member of the cluster

2. When it should be active? - if both units at the production unit were to fail, or the production facility were to be completely compromised

3. What traffic it will pass. - only HA sync traffic. in conjunction with the ISP and BGP routing (not on the PAN), network border IP addressing would be assumed in the event of #2 being realized.

Hi Shanon,

1. Another passive Member - Is not possible.

2. If both units goes down then it turns active - It is not possible.

3. Basically it should do routing if both the boxes fail - This is possible.

You will have to configure something like IP monitor on Internet CPE router. If both the units are down than send traffic to third unit.

This third unit is independent of HA cluster.

Let me know if you have additional query on this.

Regards,

Hardik Shah

  • 1 accepted solution
  • 4422 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!