cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3926
Views
0
Helpful
3
Replies

How to tell if Active/Active vs Active/Passive - DUO Proxy

emotnivek
Level 1
Level 1

So, I was not involved in the initial setup of our DUO Proxy Servers, and I was recently asked if they were in Active/Active or Active/Passive mode. This is something I should know, but alas do not… I have called support 4 times this morning, but the boys and girls at DUO are mighty busy this AM. So, maybe someone can tell me where to look on my proxies. I believe that they are based on the load I see on both of them. They always seem to be about equal, but I am not certain. We are performing a migration of our VM Servers and each one will need to go offline for about 30 minutes, so I need to know that we are good to go. If anyone can answer me, that would be the most greaterestest thing in the whole wild world. Thanks!

1 Accepted Solution

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee

Hi there!

If you mean the Duo Authentication Proxy server, it doesn’t have native high-availability. We have some guidelines for setting up high-availability but the actual details of your HA configuration is something that would be unique to your organization. We wouldn’t know if you were using load-balancers, round-robin DNS, a hot spare, etc.

Something that might help you figure it out is to look at one of the devices that is configured to pass authentication traffic to the proxy server and see what IP address it’s using. Is it the IP address of one of the proxy servers or is it a virtual IP? If virtual, you could then try to figure out where that IP originated.

Best of luck with your migrations!

Duo, not DUO.

View solution in original post

3 Replies 3

DuoKristina
Cisco Employee
Cisco Employee

Hi there!

If you mean the Duo Authentication Proxy server, it doesn’t have native high-availability. We have some guidelines for setting up high-availability but the actual details of your HA configuration is something that would be unique to your organization. We wouldn’t know if you were using load-balancers, round-robin DNS, a hot spare, etc.

Something that might help you figure it out is to look at one of the devices that is configured to pass authentication traffic to the proxy server and see what IP address it’s using. Is it the IP address of one of the proxy servers or is it a virtual IP? If virtual, you could then try to figure out where that IP originated.

Best of luck with your migrations!

Duo, not DUO.

jmnt
Level 1
Level 1

Check the duo proxy logs. If the both of the logs show that authentication happens on both of the proxies=> both are used. As Kristina said, there might be an LB in front of the proxies. . LB’s can be configured several ways. So proxies might be configured to function primary&backup mode , or loadbalanced with weighting etc so it is difficult to deduce from duo proxy logs other than auth traffic flows through them/not. Maybe you could reach out to your network admins and ask if they have LB’s configured in front of proxies and what are the settings.

Thanks, yeah I forgot to update this post… At first I didn’t know if the proxies themselves had some kind of HA integration option in the servers, but I did find out that we have them load balanced using our F5s with a VIP… thanks for the response!

Quick Links