Use IPv6 Connection Forwarding Clusters
Article ID: 167082
Updated On: 08-29-2024
Products
Mobility Threat Protection
ProxySG Software - SGOS
Issue/Introduction
Scenario
For branches that contain multiple Edge SWGs (ProxySGs) deployed in-path, it is possible that a connection can be leaving the company network on one Edge SWGs (ProxySGs), and be entering the network on another Edge SWGs (ProxySGs).
Solution
Connection forwarding is designed to handle asymmetric routing issues, as described here. All the Edge SWGs (ProxySGs) that are in the critical network paths will form a cluster, so that every Edge SWG (ProxySG) knows the state of every other Edge SWG (ProxySG) in the same connection forwarding cluster. Currently, the connection forwarding tunnel is IPv4 only, but it is capable of handling both IPv4 and IPv6 traffic.
Resolution
Deployment
1. Configure all ProxySGs to have both IPv4 and IPv6 connectivity. See Deploy ProxySG as an IPv6 Transitional Device.
2. Determine which ProxySG needs to be in the connection forwarding cluster. This is typically done by network topology inspection.
3. Add all the ProxySG addresses to the connection forwarding cluster:
#(config)connection-forwarding
#(config connection-forwarding)add <ipv4-address-sg1>
#(config connection-forwarding)add <ipv4-address-sg2>
Note that the list of ProxySGs needs to include itself. Currently, the tunnel between the ProxySGs participating in the cluster is IPv4 only. But this should not impact the overall usability since the user traffic can be both IPv4 and IPv6.
4. Enable connection forwarding:
#(config connection-forwarding)enable
5. Enable the desired services. We are using HTTP in this example:
#(config)proxy-services
#(config proxy-services)edit “External HTTP”
#(config External HTTP)intercept transparent 80
See The TCP Connection Forwarding Solution to know more about Connection Forwarding.
Feedback
Yes
No
Powered by
