Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2100
Views
5
Helpful
2
Replies

Cisco WSA HA

Go to solution
Mandeep singh5
Level 1
Level 1

‎08-25-2023 01:20 AM

Hello All,

I know that in Cisco WSA, we can configure high availability with CARP protocol. But I need to confirm that in Active Standby HA of Cisco WSA is it stateful failover. Which means that If I confiugred HA in WSA and active appliance goes down then does standby appliance have the information of active connections?

Please clear my doubt on this, Thanks to everyone in advance.

@Websecurity @WSA @proxy 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-25-2023 02:24 AM

Hi @Mandeep singh5,

No, it is not stateful failover, like on FW. But, it also doesn't need to be. Given that HTTP is transactional based, once user loads page, that is it, transaction is over, so no need to keep session state tracking like on FW. In case of failure, user will open new page, and it would flow the same way.

What does get affected is if failover happens in the middle of transaction, then user might get page loaded partially. However, in that case, user would simply reload page, and everything would be loaded again. Also, authentication cache gets affected, and user might need to be authenticated again. But again, given that for authentication transparent mechanisms are mof often used (like Kerberos or NTLM), user is unaware of this, and everything runs smoothly.

Kind regards,

Milos

View solution in original post

2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-25-2023 02:20 AM - edited ‎08-25-2023 02:21 AM

Personally i would not setup WSA as active / standby in this case you just wasting money (personally)

Rather i setup LB traffic between WSA and LB can take care when the one of the WSA fails other one keep processing the traffic, in this case its value for money - and you using both the WSA all time.

 

below methods if you looking LB

1. LB ( any LB should able to Loadbalance the Traffic)

2. PAC to WPAD to split the load between WSA

3. WCCP

As per your question yes - CARP

Configuring Failover Groups for High Availability

Using the Common Address Redundancy Protocol (CARP), the Web Security Appliance enable multiple hosts on your network to share an IP address, providing IP redundancy to ensure high availability of services provided by those hosts.

Failover is available only for the proxy service. The proxy automatically binds to the failover interface when the failover group is created. Thus, if the proxy goes down for any reason, failover is triggered.

In CARP, there are three states for a host:

  • primary - there can only be one primary host in each failover group

  • backup

  • init

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-25-2023 02:24 AM

Hi @Mandeep singh5,

No, it is not stateful failover, like on FW. But, it also doesn't need to be. Given that HTTP is transactional based, once user loads page, that is it, transaction is over, so no need to keep session state tracking like on FW. In case of failure, user will open new page, and it would flow the same way.

What does get affected is if failover happens in the middle of transaction, then user might get page loaded partially. However, in that case, user would simply reload page, and everything would be loaded again. Also, authentication cache gets affected, and user might need to be authenticated again. But again, given that for authentication transparent mechanisms are mof often used (like Kerberos or NTLM), user is unaware of this, and everything runs smoothly.

Kind regards,

Milos

Customers Also Viewed These Support Documents