Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WebApp Secure/Mykonos] Example - Binding multiple applications/backend servers to listen to multiple IPs of JWAS in HA setup

0

0

Article ID: KB30316 KB Last Updated: 31 Mar 2015Version: 1.0
Summary:

This article explains the configuration option available for a high availability (HA) scenario where there are multiple applications that are supposed to listen to unique JWAS IPs.

Symptoms:

Configuration and deployment of multiple VLANs, with a certain number of applications per VLAN; each application needs to bind to a unique JWAS IP in the HA setup.

Cause:

Solution:

The requirements are as follows; however, the KB is applicable even when there are no VLANs:

  • Multiple VLANs are present in the network.
  • N number of applications per VLAN.
  • Each application needs to bind to a unique IP of JWAS in the HA setup. For example, if there are six applications in total, then there should be six listening IPs on JWAS HA.

To accomplish this:

  • Physically connect one interface of JWAS to one VLAN. For example, eth1 connects to VLAN1 and eth2 connects to VLAN2.
  • Configure unique/different IP addresses of eth1 on each JWAS HA node. For example, eth1 on JWAS1 will be 10.10.10.1 and eth1 on JWAS2 will be 10.10.10.2. Similarly, configure eth2 of both nodes.
  • Since this is an HA setup, an alias IP cannot work here as it doesn’t help in a failover scenario. The IP should be such that it will be same and will be used by the Master node, whichever becomes the Master at a particular instant. For this scenario, traffic-vip accomplishes the task. We can define any number of traffic-vips as needed and bind them to the applications. So for example, if there are three applications in VLAN1, we should define three traffic-vips for eth1.

Note:

  • The traffic-vip configuration MUST be done ONLY on the Master node alone.
  • There will be HA failovers during the traffic-vip config setting or unsetting.

Config example:

  • eth1 of JWAS connects to VLAN1
  • eth2 of JWAS connects to VLAN2
  • VLAN1 has applications vlan1app1, vlan1app2, vlan1app3
  • VLAN2 has applications vlan2app1, vlan2app2, vlan2app3
  • eth1 of JWAS1: 10.10.10.1, eth1 of JWAS2: 10.10.10.2
  • eth2 of JWAS1: 10.10.20.1, eth2 of JWAS2: 10.10.20.2

To configure traffic-vips (assuming eth1 and eth2 are already configured with IP addresses):

cli system set traffic-vip vlan1app1ip 10.10.10.11/24
cli system set traffic-vip vlan1app2ip 10.10.10.12/24
cli system set traffic-vip vlan1app3ip 10.10.10.13/24

cli system set traffic-vip vlan2app1ip 10.10.20.11/24
cli system set traffic-vip vlan2app2ip 10.10.20.12/24
cli system set traffic-vip vlan3app3ip 10.10.20.13/24

Note that there is no need to specify the interface associated with the traffic-vip, it will be automatically detected based on the network mask.

To verify if the settings took effect, run the command cli system status. Below is an example showing the results of the command from the Master node. Note that the traffic-vip names show up under Resource Group of  the cli system status output on both nodes, but the IP addresses under network status show up only on the Master.

==========================================================================
From Master node MWAS-89:
Online: [ JWAS-89 JWAS1-88 ]

Master/Slave Set: ms_drbd_data [drbd_data]
Masters: [ JWAS-89 ]
Slaves: [ JWAS1-88 ]
Resource Group: dataServices
fs_data (ocf::heartbeat:Filesystem): Started JWAS-89
database (lsb:postgresql): Started JWAS-89
redis (lsb:mykonos-datastore): Started JWAS-89
vip (ocf::heartbeat:IPaddr2): Started JWAS-89
vip-vlan1app4ip (ocf::heartbeat:IPaddr2): Started JWAS-89
vip-vlan1app3ip (ocf::heartbeat:IPaddr2): Started JWAS-89
vip-vlan1app2ip (ocf::heartbeat:IPaddr2): Started JWAS-89
vip-vlan1app1ip (ocf::heartbeat:IPaddr2): Started JWAS-89
cluster-services (lsb:mykonos-cluster-services): Started JWAS-89
cleanup (lsb:mykonos-cluster-cleanup): Started JWAS-89

------------------------------------------------------------------------------
Network Status
------------------------------------------------------------------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:e0:81:cf:62:cd brd ff:ff:ff:ff:ff:ff
inet 172.22.151.89/24 brd 172.22.151.255 scope global eth0
inet 172.22.151.90/24 brd 172.22.151.255 scope global secondary eth0
inet6 fe80::2e0:81ff:fecf:62cd/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:e0:81:cf:62:cc brd ff:ff:ff:ff:ff:ff
inet 10.10.10.2/24 brd 10.10.10.255 scope global eth1
inet 10.10.10.13/24 brd 10.10.10.255 scope global secondary eth1
inet 10.10.10.12/24 brd 10.10.10.255 scope global secondary eth1
inet 10.10.10.11/24 brd 10.10.10.255 scope global secondary eth1
==============================================================

If there is any need to remove the traffic-vip settings, the following are the command example and output. After unsetting the traffic-vip, the resource will not be listed in the cli system status.

[mykonos@JWAS1-88 ~]$ cli system unset traffic-vip vlan1app1ip
resource vip-vlan1app1ip is running on: JWAS-89
waiting for stop to finish .. done

Once all the traffic-vips are configured, applications can be bound to the respective traffic-vips as they show up under Configuration > Applications > <application_name> > Proxy / SSL Settings > Listening IP Addresses.

This configuration is still applicable for HA setup even when there are no VLANs involved and when multiple listening IPs are needed on JWAS. For non-HA setups, alias IPs can be used instead of traffic-vips when there is a requirement for multiple listening IPs.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search