Create a Post
Showing results for 
Search instead for 
Did you mean: 

Current VSX, 2 members, HA. Migrate to LS?



We are trying to scale up for the increased VPN load due to corona. At this time, we believe that our last option is to migrate from HA to LS and have our VPN terminate on both firewalls. 


Does anyone have experience migrating from HA to LS? 

How does LS distribute VPN connections?

Do you think this is a good idea? 

Other thoughts? 

0 Kudos
3 Replies

I have migrated a cluster a while ago, this went without any problems.
The load is divided per VS, so when you have 2 heavily loaded VS's with VPN's you could make sure those are split over the 2 cluster members.
Depending on the version you can see a lot of things with cpview, here you can see the statistics and the load per VS.
On the management server you can set the weight of each VS using:
vsx_util vsls
You can also assign specific VS's to a specific cluster member.
See the VSX admin guide for the version you have.
Regards, Maarten

So you won't be able to share a single VS across two nodes. As it sounds like you expected that from original description

As for other options it depends on what's hitting the roof now - CPU? Interface?


As @Kaspars_Zibarts mentioned. You can‘t distribute one VS over both nodes.

But you can create a new VS with VPN/RemoteAccess enabled. Configure them the same encryption domain and use MEP (Multiple Entry Point). With this you can use both VS for VPN and distribute these VS over both nodes. meaning VSa is running on nodeA and VSb on nodeB.