HA-system separated with two datacenters

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA-system separated with two datacenters

L1 Bithead

Man have two datacenters and there are about 15-20km between them. The datacenters are connected by dark fiber with 1Gb bandwidth, is it possible to make HA-system to this setup? I mean so, that one of the PA-unit is in the primary datacenter and another is in the secondary.

--Janne

9 REPLIES 9

Not applicable

Hello Janne,

If you have dark fiber and are carring the vlans associated to the security zones & HA1, HA2 accross the fiber it should work correctly.

Normally the latency at that distance over dark fiber is very low, therefore you should be ok.

What technology will you be using to light the fiber? It should provide you with L1 connectivity between both firewalls effectively as if they were conected across a L2 switch.

From the high availability perspective it might not be optimal becuase if the fiber or equipment to light it fails you will end up in a split brain condition.

Hope this helps, and let us knwo if your testing goes Ok.

Best regards, Jose Muniz

Hi Jose,

Thank you for answering. I thought also that latency is not a problem at that distance. When I have tested this, I'll let you know the results, hopefully before summer Smiley Wink It depends on the customer.

Br,

--Janne

L4 Transporter

It'll work.

We carry HA-1 and HA-2 across different VLANs, and haven't had a problem yet.

This thread is a year old, but I figured I'd try anyway ..

When you say you are carrying HA1/HA2 over two different vlans, I'm assuming you mean you are plugging those ports into switch gear that then goes over some kind of WAN and is reversed on the other side.  Since it's plugged in to a switch port, you don't need the cross-over cable.  1) what speed are the ports (I have a pair of PA-4020's and I'm not seeing anything that tells me if they are 10, 100 or 1000)?  2) Did you consider using media converters so the traffic was physically isolated (so a switch reboot due to anything as basic as a config change or code upgrade doesn't break your link)?  I don't know that I want to burn off 4 extra strands of fiber, so VLAN's may be the better way to go .. I'm just asking the question.

By the way, it's been a year since you said you haven't had any issues.  How has the past year treated you re: the HA over VLAN?

Thanks.

Everything we have is set to auto. I think the PA-4000 has dedicated HA ports, our PA-2050 we had to designate two ports.

No, we had sucess with carrying other VLANs across that link with no problem. It's nearly been 18 months now. I've only seen HA2 go down once, (HA2 is connected to the dataplane and caries the session table to the other firewall, HA1 is connected to the mangement plane and caries the configs and heartbeat.) but it came right back up. It's generally the fault of the ISP. I'll see a few errors on the interfaces between the core switches.

We are building a new data center across the street from the old one (probably 300 yards).  Even though that's not a great separation, it's better than using the same room so I'm considering leaving 1 unit in the old data center and moving 1 to the new.   I have my own fiber between the buildings, so fiber count is not an issue right now.  I think I'm more inclined to use media converters though, just because of the switch-maintenance issue.  The problem with that .. I need to figure out the HAx port speeds so I get the right fiber/copper converters (I don't want to buy 100/1000 if I can only use 100, but it sounds to me like 100 is probably overkill for the amount of data anyway).

This is all good information.  Thanks!

L1 Bithead

Hi,

Are there official specs available from PA regarding speed, latency/distance  for an A/P & A/A cluster split over two sites?

Thanks

Joris

I would also like to see that spec! Smiley Happy

L2 Linker

The last I heard, this is not officially supported.  However, if one did do it, two pairs of 100Mbs media converters would be the way to go.  Hypothetically.  You can also throw them into a layer-2 DEDICATED VLAN, if you don't have dedicated fiber between the devices.  You need to make sure latency is very low though, or you're going to end up with both FW's going active.

  • 10028 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!