I know how to set up the virtual IP address on the WAN side for 2x MX devices in HA - 1 public IP per device and another IP address for the virtual IP.
If I am using AnyConnect, where should the clients connect? The DNS name that comes up for the virtual IP address in the dashboard?
Should there be [near] zero downtime with anything on the one-to-one or one-to-many NAT rules if there is a failover event?
The address that must be considered is that of the VIP. As for the time of the failover event, it is transparent to the user, it should lose a maximum of 2 or 3 pings.
>The DNS name that comes up for the virtual IP address in the dashboard?
Correct. Otherwise the automatic certificate name won't match.
>Should there be [near] zero downtime with anything on the one-to-one or one-to-many NAT rules if there is a failover event?
No state is synced between the two MX. When a failover happens, all connections are dropped and must be made again. In the case of AnyConnect, users need to reconnect.
@PhilipDAth I've already done several failover tests and I didn't have any problems, it was practically transparent, at most 2 or 3 pings were lost.
Try a long-running TCP connection, like a download. You'll see that it fails.
But I agree, it is not noticeable for most things. Userw mostly use their web browser these days and expect to just click reload.
Failover tests on the VPN? Or something else?
Tests on local LAN and S2S VPN. Client VPN is necessary to reconnect as mentioned by @PhilipDAth .
Thanks for that info.
One firewall rules for other one-to-one NATs, is that using a virtual MAC address between the two devices?
For instance, I have WAN for MX1, WAN for MX2, and then the VIP for that. I have other NAT rules for the rest of the /29 block - one of those being SIP.
Am I going to have a problem with upstream ARP cache? Or does it use a virtual MAC address like I read about?