This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ZTNA Cluster - make sessions sticky

Hello,

is it possible to make Resources/sessions sticky to a Cluster Node?

Because Service behind it often do not like changing IPs.

Sven



This thread was automatically locked due to age.
  • Hi Sven, Currently there is no way to make resources/sessions sticky to a particular node in a gateway cluster.

    If I understand correctly, you have a 3-node ZTNA gateway cluster configured to operate in a 2-arm mode. And for the external interface, you have chosen to use the Cluster VIP for load balancing instead of an external load balancer. So, in a clientless approach, requests going to the application behind the gateway could be from different cluster nodes and hence different source IPs. Would you know if the application that is being accessed has source IP as one of the parameters for authorization? 

    As a workaround, can you please try accessing the same application using an agent-based approach to see if the same behaviour is seen?

  • I have a 1-arm ZTNA 3 Node Cluster. Load Balancing is done ny ZTNA.

    We are testing with znuny, I have changed to not check session IP. But it is not working. This might lead to problems with other applications too.

    Is a woraround SNATing traffic to Cluster IP an option?

    Should I Use UTM/SG Loadbalancing instead ZTNA Balancing?

    Test agent based, The cluster Node is not switching when accesing the resources.

    Agentless, the access is swithing between Cluster nodes rapidly.

    Sven

  • Hi Sven, SNATing traffic might not be helpful in this case. We will try to reproduce this scenario in house and get back to you on this. In the meantime, hopefully, the agent-based approach solves the use case for the time being. 

  • The use Case is agentless, cause customer want to make some internal Resource available to all users (user are with company Central-notebooks, but their are even user without a company device), but want M365/2FA in front.

    I will check by application, and do an SNAT to the internal ressource using the ZTNA Cluster IP.

    Question: When I have agentless and agentbased for the same ressource, how should I do the setup?

    Customer will not like to use diffrent Domain names. May I user the same name for both?

    Sven