This chapter is from the book
High Availability
The high availability (HA) consideration for a remote access VPN deployment has two parts: local and geographic HA.
Local HA methods include the following:
- Hot standby failover: The two SSL VPN appliances are in an active-passive failover session. Common failover protocols include Virtual Router Redundancy Protocol (VRRP) and Hot Standby Routing Protocol (HSRP). A stateful failover synchronizes the SSL VPN session information between the two units to ensure minimum user disruption during the failover.
- Active-active failover: Both units are active and handle traffic during the normal state. Some administrators like to oversubscribe the resource and have both units working in full or higher than 50 percent capacity. This could lead to a domino effect. For example, when failure occurs, the failover unit will be overwhelmed by the aggregated user requests.
- Multiunit clustering: This is similar to active-active failover but with more than two units. The clustering is mainly used to improve scalability, but it can also provide high availability.
Geographic HA extends the VPN resiliency beyond local network availability. The VPN appliances are placed in multiple locations to serve the local users and also work as backup appliances for other locations.