[j-nsp] Vpn in active/active HA

Stefan Fouant sfouant at gmail.com
Fri Aug 29 12:08:14 EDT 2008


On Fri, Aug 29, 2008 at 6:31 AM, Sidney Boumendil
<sidney.boumendil at gmail.com> wrote:
> On 8/29/08, SunnyDay <cscosunny at gmail.com> wrote:
>> Im not going to use cerificates just policy based vpn or route-based
>> is there any issue on these?
>
> As long as your cluster is well configured (rto mirror sync, config
> sync, etc), I can't thing of anything else.
>
> B.R
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

Hmmm... a couple additional things come to mind.

By default NSRP contains a mechanism which ensures that the system
clocks on both systems within the NSRP cluster remain synchronized.
However, if you are also using NTP to set the system clocks, the time
between the cluster members can become unsynchronized.  In this case,
you will want to disable the NSRP time synchronization between the two
cluster members because NTP has much better time resolution in
sub-seconds, versus NSRP resolution in seconds.  Enter the following
command on your cluster if you are also doing NTP on your cluster
members:

set ntp no-ha-sync

As Sidney mentioned, you are going to want to make sure you enable
Run-Time Object synchonization, lest your sessions, ARP cache
entries, and IPSec SAs will not be synchronized and will need to be
reestablished again after a failure scenario.  Enter the following
command to ensure that you have enabled RTO synchronization

set nsrp rto-mirror sync

While we are on the subject, might I suggest going to Active/Passive?
A/P is much easier, less prone to problems, and also promotes
deterministic performance during failure scenarios.  People will
always use the excess bandwidth provided during normal A/A operation
and become used to it... then when a failure occurs you effectively
halve your performance... people start grumbling ;)

-- 
Stefan Fouant
Principal Network Engineer
NeuStar, Inc. - http://www.neustar.biz
GPG Key ID: 0xB5E3803D


More information about the juniper-nsp mailing list