Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2621
Views
0
Helpful
4
Replies

Failover SMA procedure

julien.piperault
Level 1
Level 1

‎02-16-2015 01:53 AM

Hi,

 

In case of disaster recovery of a SMA. It's necessary to recreate the IP address from the failed SMA 1 to be the IP address on SMA 2. It's possible to keep SMA 2 IP addresses ?

Another question, it's possible to use F5 VIP on Ironport C series for spam quarantine ? It's will change source IP addresses of logs ?

 

Best Regards,

Julien

Labels:
0 Helpful
4 Replies 4

Mathew Huynh
Cisco Employee
Cisco Employee

‎02-16-2015 05:03 PM

Heya,

 

You can create more IP interfaces on SMA 2 if required, so you don't need to change the existing interface but can create a new one to use the ethernet port if required.

But ensure you have proper network routes and firewall rules established to allow communication if done so.

 

Else you can remove the current IP interface and change it over (this may cause loss of connection if you're using only a single point of connection for the SMA2).

 

F5 VIP i assume is the load balancer ?

If so i believe you may need to reach out to the F5 support team to see if you can have the device running in transparent mode where it will not mask the source IP with it's own IP.

 

If there is a transparent mode that can be used, it should be fine.

Else if there is none, the source IP if it always shows as F5 VIP load balancer IP, it can affect the security scanning.

0 Helpful

Paul Cardelli
Level 1
Level 1

‎02-17-2015 11:30 AM

I think it depends on how much of the SMA you want to fail over, if it is just to get access to all the reports that's fine. Eventually you will need more data, and will need to manually pair SMA 2 to each of your ESAs. Once this is done your are pretty much failed over.

 

I agree with Matthew on the second interface Idea, if you want to keep the same IP alive, or use the second IP for load balancing. Just be aware that the SMA 2 will have limited availability during backups (and is not real time data), so if your are using a load balancer such as F5 or HA Proxy I would set the SMA 2 IP as a Passive stand-by that only is used for failover and not load balanced.

Also if you have scheduled reports on SMA 1, and you failover to SMA 2 you'll need to setup the schedule to continue to receive reports.

 

As for the ESA's you have redundancy by numbers built in, the nice part about the SMA is that you do not have to point the user to multiple SPAM Qs.

0 Helpful

julien.piperault
Level 1
Level 1
In response to Paul Cardelli

‎02-20-2015 03:09 AM

Hi,

Thank you for your return.

 

For the F5 VIP i juste want to simplify the failover in case of disaster.

I want to declare one vip with only one member (the SMA) and when i need to failover i need to change only the member in F5 side.

 

Regards,

Julien

0 Helpful

Paul Cardelli
Level 1
Level 1
In response to julien.piperault

‎02-20-2015 04:49 PM

This failover will work for management but not for communications form and to the security appliances, as these have to be paired with SSH keys for authentication and can only talk to one SMA at a time.

So the end result is that all your report and Quarantine data will be available up to the last time SMA1 communicated with the ESAs and was backedup to SMA2. The ESA will not automatically start communicating with SMA2 even through the IP address is the same the SSH authentication keys will not match.

Now if there was a way in the future for the ESAs to communicate to both appliances, and the appliances could manage the delta between the two then you would have a full HA. I don't think this is available at this time.

0 Helpful
Customers Also Viewed These Support Documents