Two devices are deployed in active/standby mode. When a VPN tunnel is established on the active device, the configurations and VPN tunnel data on the active device can be automatically synchronized to the standby device. This way, if the active device fails, business traffic can be automatically switched to the standby device.

This use case describes how to implement active/standby deployment in non-mirroring mode.

Steps

Step 1.Deploy two HQ devices in active/standby mode to form an HA cluster without traffic mirroring.

Step 2.On the active device, create a VPN tunnel interface named vpntun1. The configurations will be automatically synchronized to the standby device.

Step 3.On the HA Policy Settings page of the active device, add virtual IP addresses for the VPN-associated business interface, the internal-facing interface, and vpntun1. The configurations will be automatically synchronized to the standby device.

Step 4.On the active device, create an IPsec VPN tunnel to establish a VPN connection to the branch device, and configure a static route to access the intranet of the branch device. The configurations and tunnel data will be automatically synchronized to the standby device.

Step 5.On the branch device, create an IPsec VPN tunnel to establish a VPN connection to the HA cluster at the HQ, and set Device Address (namely, the HA cluster address) to the virtual IP address of the active device. In addition, configure a static route on the branch device to access the intranet of the HQ.

Step 6.Verify the result. The result shows that there is an IPsec VPN tunnel on each of the active and standby devices, and all bidirectional business traffic is forwarded through the active device.

Upon an active/standby switchover, business traffic is automatically switched to the new active device with almost zero business interruptions.

In practice, the active//standby switchover may interrupt business for about 0.5s.