We have two MXs of the same model, and we want to design an HA for our environment. I am considering having WAN 1 (from ISP 1) on both the main and spare MX, and WAN 2 (from ISP 2) on both the main and spare MX.
ISP1-> (MXA_Wan1, MXB_Wan1)
ISP2-> (MXA_Wan2, MXB_Wan2)
The MX also has a virtual uplink setting.
Which option is the best? Does anyone have any ideas?"
In either way, you'll need two IP addresses from ISP A, and to addresses from ISP B - one for each WAN port.
The Virtual IP allows you to have an extra, third IP address that is shared between the two MX's WAN1 port. When using Warm Spare (which is based off VRRP), you'd have the third IP address which point towards the Active-Primary MX. Incase of a failure on the Primary MX, the Secondary MX will become Active, and take over the third IP address.
If you don't use the Virtual IP, in the event of a failure on the Primary MX, for VPN connections, you'll have to manually reconfigure endpoints to use the Spare MX WAN IP. In terms of sessions, your clients may also experience short outages, as all their TCP traffic will be reset, and connections have to be re-established as your Public IP address would have changed.
However, in order to obtain a third IP address for Warm Spare, it would require your ISP to atleast provide a /29 handoff, which in some cases may be a bit more difficult and more expensive.
Thanks for your response. The idea behind having one IP address from each ISP is to have the same IP address when we experience a failure in the primary MX. Some services rely on the IP address, and we don't want to lose clients' access to those services due to a failure in the primary MX.
Yes, but I'm still rather certain, that it won't work if you reuse the same IP address from MX_A WAN1 on MX_B WAN1. This is what the Virtual IP is for. But you'll still need infividual IP addresses on each WAN interface. WAN1 and WAN2 can be different ISPs, but still need individual IP addresses.
We have the same situation. Two different WAN connections on an HA pair of MX's. @rhbirkelund is correct that you can't have the same IP address on separate WAN interfaces - this is what the virtual IP is for.