Using a Load Balancer
Overview
In active/active mode, you have the option of using an external load balancer with a cluster. If you do use a load balancer, all the nodes actively handle user requests sent by the load balancer or round-robin DNS. The load balancer hosts the cluster VIP and routes user requests to a node defined in its cluster group based on source-IP routing. If a node goes off line, the load balancer adjusts the load on the active nodes. Users do not need to sign in again, however some session information entered a few seconds before the active machine went off-line, such as cookies and passwords, may not have been synchronized on the current device, in which case users may need to sign in to back-end Web servers again.
The cluster itself does not perform any automatic fail-over or load-balancing operations, but it does synchronize state data (system, user, and log data) among cluster members. When an off-line device comes back online, the load balancer adjusts the load again to distribute it among all active members. This mode provides increased throughput and performance during peak load but does not increase scalability beyond the total number of licensed users.
The system synchronizes state data on all nodes if you add or delete the host entry on the Network Settings pages. If you add or delete the host entry using the Clustering tab for a cluster member, the state data affects only the node and the system does not synchronize the data across the entire cluster.
The system hosts an HTML page that provides service status for each node in a cluster. External load balancers can check this resource to determine how to effectively distribute the load among all the cluster nodes.
illustrates an active/active cluster configuration in which the devices have enabled external ports.
This active/active cluster configuration is deployed behind an external load balancer. You can deploy a cluster pair or multi-unit cluster in active/active mode. User requests are directed to the cluster VIP defined on the load balancer, which routes them to the appropriate machine.
Requirements and Limitations
When choosing and configuring a load balancer for your cluster, we recommend that you ensure the load balancer:
•Supports IPsec
•Listens for traffic on multiple ports
•Can be configured to manage traffic using assigned source and destination IP addresses (not destination port)
Configuring a Load Balancer
The load balancer is configured externally.
Health Checking a Server from a Load Balancer
|
Purpose |
The system hosts an HTML page that provides service status for each node in a cluster. External load balancers can check this resource to determine how to effectively distribute the load among all the cluster nodes. |
|
Action |
To perform the Layer 7 health check for a node: |
•In a browser-Enter the URL: https://Pulse Connect Secure Controller-Hostname/dana-na/ /healthcheck.cgi?status=SBR
This returns the Steel Belted Radius (SBR) status (SBR_AVAILABLE), either HTTP Status 200 OK or 500 Internal Error. If SBR_AVAILABLE is 0, the SBR is down. If SBR_AVAILBLE is 1, then SBR is up and performing transactions.
•https://Pulse Connect Secure Controller-Hostname/dana-na/healthcheck/healthcheck.cgi?status=all
This returns either HTTP Status 200 OK or 500 Internal Error. If this returns HTTP Status 200 OK, the following additional parameters are shown:
|
Parameter Name |
Value |
Description |
|
CPU-UTILIZATION |
0-100 |
Specifies the CPU utilization percentage (0-100). |
|
SWAP-UTILIZATION |
integer |
Specifies the swap utilization percentage of the device (0-100). |
|
DISK-UTILIZATION |
integer |
Specifies the used disk space percentage (0-100). |
|
SSL-CONNECTION-COUNT |
integer |
Specifies the total number of SSL connections. |
|
USER-COUNT |
integer |
Specifies the total number of licensed users logged in to the device. This does not include any MAC address users or Radius users. |
|
MAX-LICENSED-USERS-REACHED |
boolean |
Specifies the maximum number of licensed users reached. |
|
VPN-TUNNEL-COUNT |
integer |
Specifies the number of concurrent Ivanti IPSec, Network Connect and IKEv2 tunnels. |
|
PLATFORM-LIMIT |
integer |
Specifies the maximum user limit on PSA hardware. |
|
MAXIMUM-LICENSE-COUNT |
integer |
Specifies the maximum licenses installed directly on the PSA hardware or licenses fetched from the license server. |
|
CLUSTER-NAME |
String |
Specifies the name given to the cluster. The name must be unique across the network. |
The following example performs the Layer 7 health check from an external load balancer:
•GET /dana-na/healthcheck/healthcheck.cgi?status=all HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; MS-RTC LM 8; .NET4.0E)\r\nHost: localhost\r\n\r\n\r\n
The concept of receive string is used by health check. The receive string is configured on the load balancer to decide whether or not to mark a node as active or inactive. It is a regular expression that checks for a value present in the response. For example, Ivanti Connect Secure sends a page to the load balancer that has USER-COUNT=25 indicating that the number of active licensed users on that device is 25.
A receive string of USER-COUNT\=([0-9]|[0-9][1-9]|100); means check if USER-COUNT is between 0 and 100. In this example, 25 is between 0 and 100 and the load balancer marks the device as active and considers it for load balancing. Suppose more users log in to the device and it now sends USER-COUNT=150 to the load balancer. This value is now out of the range and the load balancer marks that device as inactive and stop sending traffic to it. Active sessions will continue to pass through the device however.
