I want to setup a pair of WSA as High availability group with P1 facing internally and P2 externally. To me, the HA VIP would assigned from the subnet configured on P1. But is there anyway to setup two VIPs (different subnets) on the WSA so clients can use either for outbound traffic? I am not sure if that would be do-able with WSA but still want to check with the experts here...
Thanks for the info. The WSA HA is active/standby, right?
If I use both P1 and P2, the P1 would be for internal and P2 would be for external. I do not think I can use both P1 and P2 for internal... So unless HA has some hidden tricks to have two VIPs, I do not think clients would be able to use two proxy address to send traffic through WSA...
But if I do not dedicate the M1 as management only, I might be able to use both M1 and P1 facing internal, P2 facing externally?
HA is intended to be used for client-facing interface / P1. Since it is a virtual IP (like VRRP), only one WSA device will continue processing traffic - by taking it on P1, via virtual IP, and forwarding it via its own P2 interface (where no HA is configured).
AFAIK, you can't use P1 as a listener IP for one group of users, and P2 for second group of users. If used both P1 and P2, one (P1) acts as inside, while other (P2) acts as outside (single routing table).
You could use multiple HA addresses if that satisfy your needs? There is still limitation that all IPs must have same subnet.
You are right. But I am thinking whatif I use both P1 and M1 as the internal facing data interfaces; use P2 for external. I can then have two HA groups: one has VIP from subnet on P1; one has VIP from subnet on M1. Use either P1's gateway and M1's gateway to reach client subnets, depending on the destination subnet in routing table.
On paper, this seems to work, right? Or I missed something here...
Once you enable usage of both M and P interfaces, I believe M can only be used as management, and no data can be processed there. Please take a look on this document.
What you are trying to achieve seems different than what Cisco imagined WSA to be used like. If you indeed have a need to have HA on multiple networks, why not go with multiple WSAv? You don't have any license limitation how many WSAs can you have, and it requires fairly small VM resources.
I suggest to use an external load balancing appliance for anything beyond basic build-in active/passive HA. It could range from a free open source linux based VM to a full-fledged F5 cluster. This will provide not only a true active/active HA/LB, but also health checks , weighted distribution of requests, client stickiness and many more.
The WSA's VRRP/CARP is L3-based and cannot determine if the proxy listener is down or the proxy process is overloaded. Instead it provide a HA of the VIP only.
in WSA we can use interface VLAN and gave them IP
VLANs appear as dynamic “Data Ports” labeled in the format of: “VLAN DDDD” where the “DDDD” is the ID and is an integer up to 4 digits long (VLAN 2, or VLAN 4094 for example). AsyncOS supports up to 30 VLANs.
A physical port does not need an IP address configured in order to be in a VLAN. The physical port on which a VLAN is created can have an IP that will receive non-VLAN traffic, so you can have both VLAN and non-VLAN traffic on the same interface.
VLANs can only be created on the Management and P1 data ports.
for more information, please check "Configuring and Managing VLANs" section from user guide.
not sure if it will help you for what you are intended to do
++++ If you find this answer helpful, please rate it as such ++++
Thanks for the information. I was not aware that VLAN tagging is supported on WSA data interfaces...I will check the guide in detail.
Ideally I want to use P1 for Internal data; P2 for External data; M1 dedicated for MGMT. Based on my brief read, "VLAN are allowed only on the primary interface"...does it mean for the P1 only? Would I be able to have IP addresses on the P1/P2 as well as VLAN interfaces facing LAN/EXTERNAL? If so, I assume the P1/P2 IP would be on the native VLAN?
I just run a quick configuration test in lab on WSA, it does seem I am allowed to configure VLAN on P2 as well. So is "VLANs can only be created on the Management and P1 data ports." an outdated restriction? I did try on WSA with v14.5.