As you may know, PA HA is per physical boxes only. If you have 2 boxes running virtual systems and you want to have HA, you can't have VSYS1 on box1 active and VSYS2 on box1 standby. Box1 must be active on all VSYS on it or Standby on all VSYS.
There is a work around for this limitation with configuration sync. Lets assume we have 2 PA boxes and we want to have the following:
Box1: device id 0
Box2: device id 1
We can configure Active/ Active High Availability between the 2 boxes and use Floating IPs with periorities to make FIP1 (10.2.28.1 which is part of VSYS1) active on box1 and FIP2(10.2.29.1 which is part of VSYS2) active on box2 as below.
e1/1, e1/2 is part of VSYS1
e1/3, e1/4 is part of VSYS2
e1/1 (Inside) will have an IP 10.2.28.2 on box1 and 10.2.28.3 on box2
e1/2 (Outside) will have an IP 10.2.30.2 on box1 and 10.2.30.3 on box2
e1/3 (Inside) will have an IP 10.2.29.2 on box1 and 10.2.29.3 on box2
e1/4 (Outside) will have an IP 10.2.31.2 on box1 and 10.2.31.3 on box2
Virtual Router VR1 (e1/1, e1/2) is part of VSYS1
Virtual Router VR2 (e1/3, e1/4) is part of VSYS2
Virtual Address on e1/1 is 10.2.28.1 with periority 0 on device 0 (Active) and periority 255 on device 1 (Standby)
Virtual Address on e1/2 is 10.2.30.1 with periority 0 on device 0 (Active) and periority 255 on device 1 (Standby)
Virtual Address on e1/3 is 10.2.29.1 with periority 255 on device 0 (Standby) and periority 0 on device 1 (Active)
Virtual Address on e1/4 is 10.2.31.1 with periority 255 on device 0 (Standby) and periority 0 on device 1 (Active)
Assuming that users can't change their gateway manually, Subnet 10.2.28.0/24 is now active on VSYS1 on box1 while subnet 10.2.29.0/24 is now active on VSYS2 on box 2.
We will need to use a router (R1) to route traffic between VSYS1 and VSYS2, if we are going to use static routing, scenario should be like that:
1_Enable VR Sync in HA>Active/ Active Tab (Enabled by default)
2_Add default route on VR1 to route traffic to R1
3_Add default route on VR2 to route traffic to R1
4_On R1, add 2 static routes for each subnet with different metric
routes for subnet 10.2.28.0/24:
-route to 10.2.30.1 with metric 10
-route to 10.2.31.1 with metric 20
routes for subnet 10.2.29.0/24:
-route to 10.2.31.1 with metric 10
-route to 10.2.30.1 with metric 20
In case we need to use Dynamic Routing (OSPF):
1_Don't use floating IP for outside interfaces e1/2, e1/4.
2_Disable VR sync. (now we have 4 different routers on the 2 boxes)
3_Increase the metric of subnet 10.2.28.0/24 on VR1, VSYS1 on box 2 in OSPF configuration.
4_Increase the metric of subnet 10.2.29.0/24 on VR2, VSYS2 on box 1 in OSPF configuration.
2_How to Configure OSPF
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!