Clustering S670 and S680 problem.

tomek3b01 · ‎06-18-2015

Hi

I have to configure cluster with two Ironport S680 and S670.

They have diferent name DNS and IP address. Interfaces name are this same.

AsyncOS is the same on both cisco ironport 8.0.8.

I finded the instruction how configrure claster (CLI) but i don't have command "clusterconfig" on both ironport.

I don't know why :(

---------------------

If I configure cluster that is mean, when one ironport lost the connection the second ironport take the all network traffic?

Thank!!!

Jernej Vodopivec · ‎06-18-2015

Web Security Appliance doesn't support clustering.

Only ESA supports clustering.

You can use Security Management Appliance for central management, logging...: http://www.cisco.com/c/en/us/products/security/content-security-management-appliance/index.html

If you need HA, please read my post at https://supportforums.cisco.com/discussion/12536321/wsa-etherchannel

Hope this helps..

tomek3b01 · ‎06-18-2015

Does mean when I have S serier I need the SMA for central management?

This is my first time with ironport and my experience is poor :/

I want create something like backup...that's mean when one ironport loose connection etc. the secon ironport can take the automaticly network traffic. For this solution I need SMA?

Jernej Vodopivec · ‎06-18-2015

central management = same, unified security policy - you need SMA

high availability - you have two standalone appliances managed separately; they can work in HA mode so if one appliance fails traffic will redirect to other appliance

you can also design HA environment by using load balancers (Citrix Netscaler for example)

automatic configuration backup: take a look at this post: https://supportforums.cisco.com/discussion/12388821/possibility-auditcompare-configuration-changes-ironport

tomek3b01 · ‎06-18-2015

Thank you.

I will try with F5 load balancer.

I found this information about configure proxy. I can try use WCCP or a Proxy Auto Config file (.pac file).How do you think it is good idea?

Jernej Vodopivec · ‎06-18-2015

wccp-transparent redirection; you don't need F5 if you want to achieve HA solution

proxy pac-explicit forwarding of http(s) traffic; with newer versions you can configure two appliances to use shared IP to achieve HA (active/passive); simmilar as VRRP works; you don't need F5 also

all design options are explained in user guide:

http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-user-guide-list.html

tomek3b01 · ‎06-18-2015

Thank for your help :)

tomek3b01 · ‎06-24-2015

Hi

Look I found something about HA WSA:

https://supportforums.cisco.com/video/12358461/steps-configure-vrrp-virtual-router-redundancy-protocol-web-security-appliance

What do you think about this solution?

Ken Stieers · ‎06-25-2015

This is only applicable if you're using explicit proxy (eg setting proxy config in the browsers). If you're using transparent redirection (WCCP or Layer 4 routing), this doesn't apply.

tomek3b01 · ‎06-29-2015

I am using explict proxy (wpad, and automaticly find proxy in the browsers).

I have other question. How is working update for AsyncOS?

Now i have 8.0.8 but it's not new OS version. Why I don't see new update?