icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Virtual Service Edge Configuration Guide for Dual Arm Mode

Use a dual arm configuration for your ZIA Virtual Service Edges if you have an environment that requires your Virtual Service Edges to use two zones: a disconnected network or isolate the internet zone from the internal users and another that faces the internet.

The dual arm configurations of Virtual Service Edges for your organization might be required in the following scenarios:

  • This deployment is used when you expect the following in a standalone mode:

    • Internal user traffic to access internal or external servers.
    • Remote user traffic from the internet-facing side to access internal or external servers.

    Screenshot of ZIA Virtual Service Edge Dual Arm Configuration in Standalone Mode

    To deploy the Virtual Service Edge using the dual arm configuration in standalone mode with external or no load balancer:

    You must add the internal-facing proxy IP address (i.e., em1) to the Proxy IP Address field and select Standalone for the Deployment Mode field.

    • 2. Download the Virtual Service Edge VM.
    • 3. Download the Virtual Service Edge certificates.

    • Add a location and bind the standalone Virtual Service Edge to it so your organization can enable features such as authentication, firewall, SSL inspection, and location-level policies. The service associates the traffic that it receives on the Virtual Service Edge with its location and applies the features and policies configured for the location.

      To bind a Virtual Service Edge to a location:

      1. Go to Administration > Locations.

      2. Click Add Location or click the Edit icon for an existing location.

        The Add Location or Edit Location window appears.

      3. In the Add Location or Edit Location window, select the standalone Virtual Service Edge you want to bind to the location.

        To learn more about the other fields, see Configuring Locations.

      4. Click Save.
      Close

    • Zscaler performs ICMP and HTTP monitoring from the switch/vswitch to the Virtual Service Edge to monitor the health of the Virtual Service Edge. For health probes to work, you must create a Firewall Filtering rule to allow all Virtual Service Edge proxies.

      To create a Firewall Filtering rule:

      1. Go to Policy > Firewall Control.

      2. Click Add Firewall Filtering Rule.

        The Add Firewall Filtering Rule window appears.

      3. In Add Firewall Filtering Rule window, click the Source IP tab.

      4. In IP Addresses, add the Proxy IP address for your Virtual Service Edges.

        To learn more about the other fields, see Configuring Firewall Filtering Policy.

      5. Under Network Traffic, select Allow.
      6. Click Save and activate the change.
      Close

    • To configure a new VM on the VMware ESXi server:

      1. Log in to the vSphere client.
      2. Go to File > Deploy OVF Template.
      3. Use the Deploy OVF Template wizard to deploy the Virtual Service Edge VM.
      4. Accept all defaults to import the Virtual Service Edge VM.
      5. Select the Virtual Service Edge VM and click either the Power On button or Power On the virtual machine.

      6. On the Console tab, log in to the FreeBSD command prompt with the following credentials:

        • Username: zsroot
        • Password: zsroot

        The following guidelines apply:

        • Zscaler strongly recommends that you change this default password by running the passwd command.
        • Direct root login is not permitted. Administrators must use the sudo utility to run a command with higher privileges.

      7. Run the following command to configure the network:

        sudo vzen configure-network
      8. Specify the following information:
        • Address of the DNS server (e.g., 10.84.0.100) used for name resolution of Zscaler cloud domains and also for domain names in the proxy traffic.
        • Management interface IP with CIDR netmask. You use the management IP address (e.g., 10.84.0.110/24) for SSH or FTP.
        • Default gateway IP address (e.g., 10.84.0.200).
        • Hostname of the Virtual Service Edge
      9. Install the SSL certificates of the Virtual Service Edge instances. These are the certificates that you downloaded from the ZIA Admin Portal. A Virtual Service Edge uses this certificate to authenticate itself to the Zscaler service. When you configure a Virtual Service Edge, ensure that you upload the correct certificate for each Virtual Service Edge instance.
        1. Go to the SSL certificate that you saved.
        2. Use SCP or SFTP to upload it to the management IP address of the Virtual Service Edge.
        3. On the vSphere client, click the Console tab, and log in with the following credentials:
          Username: zsroot
          Password: zsroot
        4. Go to the Console tab or use SSH to connect to the management IP address.

        5. Run the following command:

          sudo vzen install-cert <cert-bundle.zip>

          Ensure to specify the absolute path to the SSL certificates (e.g., sudo vzen install-cert /tmp/cert-bundle.zip).

      10. If you installed the Cavium NITROX card in your server, do the following:
        1. On the vSphere client, click the Configuration tab.
        2. Click Edit...
          In the Mark devices for passthrough window, select the Cavium NITROX card.
        3. Select the Virtual Service Edge to which the Cavium NITROX card needs to be added. Ensure that the Virtual Service Edge is powered off. Then, click Edit virtual machine settings. In the Virtual Machine Properties window, click Add...
        4. Select PCI Device, then click Next.
        5. Select the Cavium NITROX card from the drop-down menu, then click Next.
        6. Click Finish to add the Cavium NITROX card.
        7. Click OK to finish the setup.

        8. Run the following command to configure the card:

          sudo vzen install-nitrox
      11. (Optional) if you want to use an SNMP management system to monitor the Virtual Service Edge, enable SNMP for Virtual Service Edge and configure SNMP parameters. Virtual Service Edges support SNMPv3 only.

        1. Run the following command:

          sudo vzen snmp-admin-configure
        2. Enter a user name for the SNMPv3 management system that sends queries to the Virtual Service Edge. The Virtual Service Edge accepts queries from this user name only.
        3. Enter a password that the Virtual Service Edge uses to authenticate the SNMP management system.
        4. Specify which authentication protocol the Virtual Service Edge can use to authenticate the SNMP user. Enter either MD5 or SHA1.
        5. Specify the encryption method the Virtual Service Edge can use to authenticate the SNMP user. Enter either DES or AES.

        6. Run the following command:

          sudo vzen snmp-trap-configure
        7. When asked which traps you want to configure, enter v3 traps.
        8. Enter the IP address of the SNMP trap management system to which the Virtual Service Edge sends traps.
        9. Enter a user name for the SNMP management system.
        10. Enter a password that the Virtual Service Edge uses to authenticate the SNMP management system.
        11. Specify which authentication protocol the Virtual Service Edge can use to authenticate the SNMP user. Enter either MD5 or SHA1.
        12. Specify the encryption method the Virtual Service Edge can use to authenticate the SNMP user. Enter either DES or AES.

        13. Download the Virtual Service Edge build and start the Virtual Service Edge.

          1. On the vSphere client, click the Console tab or use SSH to connect to the management IP address.
          2. Run the following command to download the Virtual Service Edge build:
          sudo vzen download-build

          The initial build is around 1 GB, so it might take a while depending on your internet connection. The downloaded build is automatically installed. The Virtual Service Edge automatically starts after the installation is complete.

      Close

    • Start the VM. After the VM is started, create 4 virtual interfaces.

      By default, your Virtual Service Edge has the following interfaces:

      • em0: Internet-facing Management interface. This management communication is used for downloading software updates, SSH, SNMP, NTP, etc. This is configured on the CLI using the following command:

        sudo vzen configure-network
      • em1: Internal-facing Proxy interface. The interface that receives user traffic from the internal side. This is configured in the ZIA Admin Portal.

      In the dual arm configuration, you must configure two extra interfaces for each of your Virtual Service Edges:

      • em2: Internet-facing Proxy interface. The interface that receives user traffic from the internet-facing side. This is configured in the /sc/sme/conf/vzen_custom.conf file.

      • em3: (Optional) Internal-facing Management interface.

        em3 is not required if em0 is configured to connect to Zscaler cloud nodes (i.e., CA, CDSS, etc.).

      Close

    • To prepare vSphere for the configuration:

      1. Shut down your Virtual Service Edge and power off the virtual machine (VM).
      2. Using vSphere, add two additional interfaces and map them to the appropriate network or VLAN (em2 and em3).
      3. Add the em0 and em2 interfaces to the internet-facing network.
      4. Add the em1 and em3 interfaces to the internal-facing network.
      5. Restart the Virtual Service Edge.

      Depending on your deployment type (explicit or transparent), you might need to set VMware-specific parameters such as Promiscuous Mode.

      Close

    • To configure the DNS server, management interface em0, and default route out:

      1. Log in to the VM from the VMware ESXi portal.

        Use zsroot as the username and password. Ensure to change the password after logging in.

      2. Run the following command:

        sudo vzen configure-network

      You can now log in to the internet-facing Management IP address (i.e., em0) using SSH.

      Close

    • You need to configure an additional proxy interface, em2. The proxy interface processes user traffic from the switch/vswitch on the internet-facing side.

      To configure an additional proxy interface:

      1. Log in to the VM.
      2. Update the /etc/rc.conf system configuration file. To do this:

        1. Enter the following command:

          sudo vi /etc/rc.conf
        2. Modify the "network_interfaces=" line to include em2.

      3. Enter the following command:

        cd /sc/sme/conf
      4. Create a new file called vzen_custom.conf.

      5. Add the following lines:

        [SME]
smnet_dev=em2=zs1:<em2 Internet facing proxy IP/Mask>
smnet_route="<subnet/subnetmask/internal facing gateway>"
smnet_dflt_gw=<Default Gateway>
system_ip=<em2 Internet facing proxy IP>
[-end-of-SME-]

        Replace all text in red with the appropriate values.

        For example, to add an additional proxy interface:

        [root@perf-vzen ]:-$cat /sc/sme/conf/vzen_custom.conf
[SME]
smnet_dev=em2=zs1:10.66.2.70/24
smnet_route="10.65.1.220/32/10.66.105.254,10.72.5.2/32/10.66.105.254"
smnet_dflt_gw=10.66.2.254
system_ip=10.66.2.70
[-end-of-SME-]

        If you want to route the traffic through internal-facing interfaces (e.g., to access internally hosted servers), use smnet_route for em1, or else remove it.

      Close

    • You need to configure an additional management interface, em3. If configured, this interface provides inbound access from the management interface to the Central Authority (CA) to receive updates for your Virtual Service Edge.

      If em0 is configured to get updates from CA and CDSS, em3 is optional.

      To configure an additional management interface:

      1. Run ifconfig to ensure that the em3 interface is active.
      2. Update the /etc/rc.conf system configuration file. To do this:

        1. Enter the following command:

          sudo vi /etc/rc.conf
        2. Modify the "network_interfaces=" line to include em3.

        3. Add the following line to the end of the file:

          ifconfig_em3="<IP Address>"

          Replace <IP Address> with the IP address in your subnet which is internal-facing (user network).

        4. (Optional) The default gateway is automatically added via the em0 interface. To add a static route to a different subnet or VLAN, add the following to the end of the file:

          static_routes="em3_internal"
route_em3_internal="-net <Destination Subnet> <Gateway IP Address>"

          Replace <Destination Subnet> with the IP subnet of the user network/internal network and replace <Gateway IP Address> with your desired gateway IP address (ideally the inside router).

          For example, to add a static route to a different subnet or VLAN:

          static_routes="em3_internal"
route_em3_internal="-net 10.0.0.0/8 10.88.44.1"
      3. Restart the VM.
      4. Verify the configuration:
        1. Ping the newly added subnet gateway.

        2. Print the route information by entering the following command:

          sudo netstat -rn
      Close

    • To restart the Virtual Service Edge:

      1. Log in to the VM.
      2. Enter the following command:
      sudo vzen restart
      Close

    Ensure that the autostart for Virtual Service Edge services is enabled.

    You can test this deployment by connecting to the em2 IP address and port 80. Alternatively, configure a browser with em2 (i.e., <em2 IP address>:80) and then send traffic and apply policies. The em2 serves the traffic to the internet. You can verify if the traffic is following the correct path using the PCAP files.

    If smnet_route is configured, then the server is accessed through the em1 interface.

    If SSL decryption is enabled, the Zscaler root certificate must be installed. You can also disable authentication for servers without federated user identities.

    Close

  • This deployment is used when you expect the following in a cluster mode:

    • Internal user traffic to access internal or external servers.
    • Remote user traffic from the cluster IP on the internal-facing side to access internal servers.

    To learn more, see About Virtual Service Edge Clusters and Configuring Virtual Service Edge Clusters.

    ZIA Network diagram illustrating traffic flow of a Virtual Service Edge in dual arm mode.

    Each of your Virtual Service Edges need two additional IPs for this dual arm configuration. The cluster IP is the proxy gateway that users point to. It’s also the VIP for the Virtual Service Edges. To learn more, see Locating the Virtual IP Addresses for ZIA Public Service Edges.

    By default, your Virtual Service Edge has the following interfaces:

    • em0: Internet-facing Management interface. This management communication is used for downloading software updates, SSH, SNMP, NTP, etc. This is configured on the CLI using the following command:

      sudo vzen configure-network
    • em1: Internal-facing Proxy interface. The interface that receives internal user/remote user traffic from the internal side. This is configured in the ZIA Admin Portal.
    • em2: Internal-facing The LB service interface. The interface in the user network that receives user traffic from the internal-facing cluster IP. This is configured in the ZIA Admin Portal.

    In the dual arm configuration, you must configure two extra interfaces for each of your Virtual Service Edges:

    • em3: Internet-facing Proxy interface. The interface that forwards user traffic to the internet. This is configured in the /sc/sme/conf/vzen_custom.conf file.

    • em4: (Optional) Internal-facing Management IP address.

      em4 is not required if em0 is configured to connect to Zscaler cloud nodes (i.e., CA, CDSS, etc.).

    To deploy the Virtual Service Edge using the dual arm configuration in cluster mode with user traffic on one arm:

    Repeat these steps for all of your additional Virtual Service Edges.

    • To prepare vSphere for the configuration:

      1. Shut down your Virtual Service Edge and power off the virtual machine (VM).
      2. Using vSphere, add two additional interfaces and map them to the appropriate network or VLAN (em3 and em4).
      3. Add the em0 and em3 interfaces to the internet-facing network.
      4. Add the em1, em2, and em4 interfaces to the internal-facing network.
      5. Restart the Virtual Service Edge.
      Close

    • You need to configure the additional proxy interface, em3. The proxy interface processes internet traffic.

      To configure an additional proxy interface:

      1. Log in to the VM.
      2. Update the /etc/rc.conf system configuration file. To do this:

        1. Enter the following command:

          sudo vi /etc/rc.conf
        2. Modify the "network_interfaces=" line to include em3.

      3. Enter the following command:

        cd /sc/sme/conf
      4. Create a new file called vzen_custom.conf.

      5. Add the following lines:

        [SME]
smnet_dev=em3=zs1:<em3 Internet facing proxy IP/Mask>
smnet_route="<subnet/subnetmask/internal facing gateway>"
smnet_dflt_gw=<Default Gateway>
system_ip=<em3 Internet facing proxy IP>
[-end-of-SME-]

        For example, to add an additional proxy interface:

        [root@perf-vzen ]:-$cat /sc/sme/conf/vzen_custom.conf
[SME]
smnet_dev=em3=zs1:10.66.2.70/24
smnet_route="10.65.1.220/32/10.66.105.254,10.72.5.2/32/10.66.105.254"
smnet_dflt_gw=10.66.2.254
system_ip=10.66.2.70
[-end-of-SME-]

        If the internal users are not on the same VLAN as the Virtual Service Edge internal network, ensure to add reverse routes (i.e., smnet_route="<subnet/subnetmask/internal facing gateway>") on the Virtual Service Edge for such internal networks.

        Replace all text in red with the appropriate values.

      Close

    • You need to configure an additional management interface, em4. If configured, this interface provides inbound access from the management interface to the Central Authority (CA) to receive updates for your Virtual Service Edge.

      If em0 is configured to get updates from CA and CDSS, em4 is optional.

      To configure an additional management interface:

      1. Run ifconfig to ensure that the em4 interface is active.
      2. Update the /etc/rc.conf system configuration file. To do this:

        1. Enter the following command:

          sudo vi /etc/rc.conf
        2. Modify the "network_interfaces=" line to include em4.

        3. Add the following line to the end of the file:

          ifconfig_em4="<IP Address>"

          Replace <IP Address> with the IP address in your subnet which is internal-facing (user network).

        4. (Optional) The default gateway is automatically added via the em0 interface. To add a static route to a different subnet or VLAN, add the following to the end of the file:
        5. static_routes="em4_internal"
route_em4_internal="-net <Destination Subnet> <Gateway IP Address>"

          Replace <Destination Subnet> with the IP subnet of the user network/internal network and replace <Gateway IP Address> with your desired gateway IP address (ideally the inside router).

        6. Restart the VM.
        7. Verify the configuration:
          1. Ping the newly added subnet gateway.

          2. Print the route information by entering the following command:

            sudo netstat -rn
      Close

    • After you have configured the additional interfaces, restart your Virtual Service Edge.

      To restart the Virtual Service Edge:

      1. Log in to the VM.

      2. Enter the following command:

        vzen restart

      Ensure that the autostart for Virtual Service Edge services is enabled.

      Close
    Close

  • This deployment is used when you expect the following in a cluster mode:

    • Internal user traffic to access internal or external servers.
    • Remote user traffic from the cluster IP on the internet-facing side to access internal or external servers.

    To learn more, see About Virtual Service Edge Clusters and Configuring Virtual Service Edge Clusters.

    ZIA Network diagram illustrating traffic flow of a Virtual Service Edge in dual arm mode.

    Each of your Virtual Service Edges need three additional IPs for a dual arm configuration. The cluster IP is the proxy gateway that users point to. It’s also the VIP for the Virtual Service Edges. To learn more, see Locating the Virtual IP Addresses for ZIA Public Service Edges.

    By default, your Virtual Service Edge has the following interfaces:

    • em0: Internet-facing Management interface. This management communication is used for downloading software updates, SSH, SNMP, NTP, etc. This is configured on the CLI using the following command:

      sudo vzen configure-network
    • em1: Internal-facing Proxy interface. The interface that receives user traffic from the internal side. This is configured in the ZIA Admin Portal.
    • em2: Internal-facing LB service interface. The interface in the user network that receives user traffic from the internal-facing cluster IP. This is configured in the ZIA Admin Portal.

    In the dual arm configuration, you must configure three extra interfaces for each of your Virtual Service Edges:

    • em3: Internet-facing Proxy interface. The interface that receives/forwards user traffic from/to the internet. This is configured in the /sc/sme/conf/vzen_custom.conf file.
    • em4: Internet-facing LB service interface. The interface in the internet-facing network that receives user traffic from the internet-facing cluster IP. This LB communication is used for downloading policies and uploading logs from the Central Authority (CA).

    • em5: (Optional) Internal-facing Management interface.

      em5 is not required if em0 is configured to connect to Zscaler cloud nodes (i.e., CA, CDSS, etc.).

    To deploy the Virtual Service Edge using the dual arm configuration in cluster mode with user traffic on both arms:

    Repeat these steps for all of your additional Virtual Service Edges.

    • To prepare vSphere for the configuration:

      1. Shut down your Virtual Service Edge and power off the VM.
      2. Using vSphere, add 3 additional interfaces and map them to the appropriate network or VLAN (em3, em4, and em5).
      3. Add the em0, em3, and em4 interfaces to the internet-facing network.
      4. Add the em1, em2, and em5 interfaces to the internal-facing network.
      5. Restart the Virtual Service Edge.
      Close

    • You need to configure an additional proxy interface, em3. The proxy interface processes internet traffic from the cluster IP. The cluster IP is where your users push their traffic to.

      To configure an additional proxy interface:

      1. Log in to the VM.
      2. Update the /etc/rc.conf system configuration file. To do this:

        1. Enter the following command:

          sudo vi /etc/rc.conf
        2. Modify the "network_interfaces=" line to include em3.

      3. Enter the following command:

        cd /sc/sme/conf
      4. Create a new file called vzen_custom.conf.

      5. Add the following lines:

        [SME]
smnet_dev=em3=zs1:<em3 Internet facing proxy IP/Mask>
smnet_route="<subnet/subnetmask/internal facing gateway>"
smnet_dflt_gw=<Default Gateway>
system_ip=<em3 Internet facing proxy IP>
[-end-of-SME-]

        For example, to add an additional proxy interface:

        [root@perf-vzen ]:-$cat /sc/sme/conf/vzen_custom.conf
[SME]
smnet_dev=em3=zs1:10.66.2.70/24
smnet_route="10.65.1.220/32/10.66.105.254,10.72.5.2/32/10.66.105.254"
smnet_dflt_gw=10.66.2.254
system_ip=10.66.2.70
[-end-of-SME-]

        If the internal users are not on the same VLAN as the Virtual Service Edge internal network, ensure to add reverse routes (i.e., smnet_route="<subnet/subnetmask/internal facing gateway>") on the Virtual Service Edge for such internal networks.

        Replace all text in red with the appropriate values.

      Close

    • You need to configure an additional management interface, em5. If configured, this interface provides inbound access from the management interface to the CA to receive updates for your Virtual Service Edge.

      If em0 is configured to get updates from CA and CDSS, em5 is optional.

      To configure an additional management interface:

      1. Run ifconfig to ensure that the em5 interface is active.
      2. Update the /etc/rc.conf system configuration file. To do this:

        1. Enter the following command:

          sudo vi /etc/rc.conf
        2. Modify the "network_interfaces=" line to include em5.

        3. Add the following line to the end of the file:

          ifconfig_em5="<IP Address>"

          Replace <IP Address> with the IP address in your subnet which is internal-facing (user network).

        4. (Optional) The default gateway is automatically added via the em0 interface. To add a static route to a different subnet or VLAN, add the following to the end of the file:
        5. static_routes="em5_internal"
route_em5_internal="-net <Destination Subnet> <Gateway IP Address>"

          Replace <Destination Subnet> with the IP subnet of the user network/internal network and replace <Gateway IP Address> with your desired gateway IP address (ideally the inside router).

        6. Restart the VM.
        7. Verify the configuration:
          1. Ping the newly added subnet gateway.

          2. Print the route information by entering the following command:

            sudo netstat -rn
      Close

    • You need to configure an additional LB interface, em4. The load balancer process works in tandem with the proxy interface.

      To add an additional LB interface:

      1. Log in to the VM.
      2. Update the /etc/rc.conf system configuration file. To do this:

        1. Enter the following command:

          sudo vi /etc/rc.conf
        2. Modify the "network_interfaces=" line to include em4.

      3. Enter the following command:

        cd /sc/smlb/conf
      4. Create a file called vzen_custom.conf.

      5. Add the following lines:

        [SME]
smnet_dev=em4=zs1:<em4 Internet facing LB IP/Mask>
smnet_route="<subnet/subnetmask/internal facing gateway>"
smnet_dflt_gw=<Default Gateway>
system_ip=<em4 Internet facing LB IP>
[-end-of-SME-]

        Replace all text in red with the appropriate values.

        For example, to add an additional LB interface:

        [root@perf-vzen ]:-$cat /sc/smlb/conf/vzen_custom.conf
[SME]
smnet_dev=em4=zs1:10.66.2.71/24
smnet_route="10.65.1.220/32/10.66.105.254,10.70.6.2/32/10.66.105.254"
smnet_dflt_gw=10.66.2.254
system_ip=10.66.2.71
[-end-of-SME-]
      Close

    • To restart the Virtual Service Edge:

      1. Log in to the VM.

      2. Enter the following command:

        vzen restart
      Close
    Close

Configuring Cluster IP

This configuration applies only to the dual arm configuration in cluster mode with user traffic in both arms.

After configuring the dual arm for Virtual Service Edge, you must configure cluster IP based on the preceding scenarios.

To configure cluster IP for Virtual Service Edges with dual arm configuration:

  • To add cluster IP parameters to the LB interface:

    1. Log in to the VM.

    2. Enter the following command:

      vi /sc/smlb/conf/vzen_custom.conf

    3. Edit the vzen_custom.conf file to add the following lines:

      [SME]
smlb_vserver="<Increment the vserv id present in /sc/smlb/conf/vzen.conf>"
smlb_cluster="<New smlb_vserver id - configured in the preceding line>,<VIP for em4 SMLB> -h1 -T -ea -db -es -em -m5 -s<SMEID - vserv id present in /sc/sme/conf/vzen.conf>,<Dual SME IP em3>"
smlb_monitor="5 -mi -i2 -r 5 -t 2 -w1 -W100"
[-end-of-SME-]

      Replace all text in red with the appropriate values.

      Ensure to add the SMEID and SME IP to the smlb_cluster line for each of your Virtual Service Edges.

      For example, to add cluster IP parameters to the LB interface:

      [SME]
smlb_vserver="32999"
smlb_cluster="32999,10.66.2.75 -h1 -T -ea -db -es -em -m5 -m3 -s32665,10.66.2.72 -s32678,10.66.2.70 "
smlb_monitor="5 -mi -i2 -r 5 -t 2 -w1 -W100"
[-end-of-SME-]
    Close

  • To add cluster IP parameters to the proxy interface:

    1. Log in to the VM.

    2. Enter the following command:

      vi /sc/sme/conf/vzen_custom.conf

    3. Edit the vzen_custom.conf file to add the following lines:

      [SME]
smlb_server="<New smlb_vserver id - configured in the preceding step> <SMEID - vserv id present in /sc/sme/conf/vzen.conf>"
smlb_cluster="<New smlb_vserver id - configured in the preceding step>,<VIP for em4 SMLB> -h1 -T -ea -db -es -em -m5 -s<SMEID - vserv id present in /sc/sme/conf/vzen.conf>,<Dual SME IP em3>"
[-end-of-SME-]

      Replace all text in red with the appropriate values.

      Ensure to add the SMEID and SME IP to the smlb_cluster line for each of your Virtual Service Edges.

      For example, to add cluster IP parameters to the proxy interface:

      [SME]
smlb_server="32999 32678"
smlb_cluster="32999,10.66.2.75 -h1 -T -ea -db -es -em -m5 -m3 -s32665,10.66.2.72 -s32678,10.66.2.70"
[-end-of-SME-]
    Close

  • To enable the promiscuous mode for the LB interface:

    1. Log in to the VM.

    2. Enter the following command:

      sudo vi /etc/rc.conf

    3. Add the following lines:

      ifconfig_em4="down promisc"
ifconfig_em2="down promisc"
network_interfaces="lo0 em0 em1 em2 em3 em4 em5"
    Close

  • To reboot the Virtual Service Edge:

    1. Log in to the VM.

    2. Enter the following command:

      reboot
    Close

After the new interfaces are assigned, ensure they are mapped to the correct VLAN by checking the MAC addresses, as the order might be different on the VM. Also, ensure the proper format is followed while assigning the custom routes in the vzen_custom.conf file so that the next hops are reachable.

You can test whether the cluster IP addresses are available and active for the following interfaces:

  • For the LB interface, run the following command:
/sc/smlb/bin/smmgr -ys smnet="ifconfig :type any"
  • [root@perf-vzen ]:-$/sc/smlb/bin/smmgr -ys smnet="ifconfig :type any"
//+SHARED MEMORY KEY 17 (/sc/smlb/)

SMNET Interface Table
-----------------------
zs0:    flags=8903<UP,BROADCAST,PROMISC,SIMPLEX,MULTICAST>
        (zs0)=em2 metric 0 mtu 1500 type 6 [0x80be00020/0xb91013fe010]
        capabilities=db<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,POLLING,VLAN_HWCSUM>
        capenable=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        HWassist 0x6    ether: 00:50:56:9b:5f:50
        inet 10.66.105.68 netmask 0xffffff00 broadcast 10.66.105.255
        media: [no carrier] Ethernet autoselect
        Rx: Packets 18082863 Bytes 2776690390 Multicast 654535
        Tx: Packets 78884 Bytes 7362836 Multicast 11195
        Error: Rx 0 Tx 0 RxMC_drop 0 Dropped 0 Collision 0 Unsup_Proto 0
        Send queue: 0 of 50000 (0 drops) drv side 0 of 50000

zs1:    flags=8903<UP,BROADCAST,PROMISC,SIMPLEX,MULTICAST>
        (zs1)=em4 metric 0 mtu 1500 type 6 [0x80be004d0/0xb91013fde90]
        capabilities=db<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,POLLING,VLAN_HWCSUM>
        capenable=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        HWassist 0x6    ether: 00:50:56:9b:15:43
        inet 10.66.2.71 netmask 0xffffff00 broadcast 10.66.2.255
        media: [no carrier] Ethernet autoselect
        Rx: Packets 326381 Bytes 26002247 Multicast 261962
        Tx: Packets 107367 Bytes 10527037 Multicast 9411
        Error: Rx 0 Tx 0 RxMC_drop 0 Dropped 0 Collision 0 Unsup_Proto 0
        Send queue: 0 of 50000 (0 drops) drv side 0 of 50000

CARP-71:        flags=9<UP,LOOPBACK>
        (carp127)(MASTER vhid=71 advbase=1 advskew=132 sc2ifp(flags/drv_flags 0x9/0x40)
        vmac=00:00:5e:00:01:47
        initial sha1 0xd1ca7dc7:0x9f0f47e9:0x9c48b1d5:0x7de0dff6:0x185ac373 counter 0x1/0x640aee2e7163cff3
        cldname zscalerone.net sc_key )
        metric 0 mtu 1500 type 248=0xf8 [0x80be00980/0xb91087ffad0]
        HWassist 0x0    inet 10.66.105.71 netmask 0xffffffff
        Rx: Packets 0 Bytes 0 Multicast 0
        Tx: Packets 11193 Bytes 626808 Multicast 0
        Error: Rx 0 Tx 0 RxMC_drop 0 Dropped 0 Collision 0 Unsup_Proto 0
        Send queue: 0 of 50000 (0 drops) drv side 0 of 0

CARP-75:        flags=9<UP,LOOPBACK>
        (carp128)(MASTER vhid=75 advbase=1 advskew=206 sc2ifp(flags/drv_flags 0x9/0x40)
        vmac=00:00:5e:00:01:4b
        initial sha1 0xd5467984:0x99d1aa36:0xefa02b:0x9219ef2d:0xf65ff620 counter 0x1/0x66932b974af664ee
        cldname zscalerone.net sc_key )
        metric 0 mtu 1500 type 248=0xf8 [0x80be00e30/0xb91087ff790]
        HWassist 0x0    inet 10.66.2.75 netmask 0xffffffff
        Rx: Packets 0 Bytes 0 Multicast 0
        Tx: Packets 9409 Bytes 526904 Multicast 0
        Error: Rx 0 Tx 0 RxMC_drop 0 Dropped 0 Collision 0 Unsup_Proto 0
        Send queue: 0 of 50000 (0 drops) drv side 0 of 0

Profiler stats: tot calls=1, tot/min/max/avg cpu time=6863/6863/6863/6863 microseconds
    Close
  • For the proxy interface, run the following command:
/sc/sme/bin/smmgr -ys smnet="ifconfig :type any"
  • [root@perf-vzen ]:-$/sc/sme/bin/smmgr -ys smnet="ifconfig :type any"                                                                                              //+SHARED MEMORY KEY 17 (/sc/sme/)

SMNET Interface Table
-----------------------
ztun0:  flags=8811<UP,POINTOPOINT,SIMPLEX,MULTICAST>
        (ztun0)metric 0 mtu 1400 type 23=0x17 [0x80be00020/0xb9100db4050]
        HWassist 0x0    inet 10.66.105.71 --> 10.66.105.71 netmask 0xffffffff
        Rx: Packets 0 Bytes 0 Multicast 0
        Tx: Packets 1 Bytes 28 Multicast 1
        Error: Rx 0 Tx 0 RxMC_drop 0 Dropped 0 Collision 0 Unsup_Proto 0
        Send queue: 0 of 50000 (0 drops) drv side 0 of 100

zs0:    flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST>
        (zs0)=em1 metric 0 mtu 1500 type 6 [0x80be004d0/0xb91013fddd0]
        capabilities=db<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,POLLING,VLAN_HWCSUM>
        capenable=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        HWassist 0x6    ether: 00:50:56:9b:b8:9d
        inet 10.66.105.67 netmask 0xffffff00 broadcast 10.66.105.255
        media: [no carrier] Ethernet autoselect
        Rx: Packets 518519 Bytes 33963109 Multicast 456548
        Tx: Packets 65429 Bytes 6533314 Multicast 1
        Error: Rx 0 Tx 0 RxMC_drop 0 Dropped 0 Collision 0 Unsup_Proto 0
        Send queue: 0 of 50000 (0 drops) drv side 0 of 50000

zs1:    flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST>
        (zs1)=em3 metric 0 mtu 1500 type 6 [0x80be00980/0xb91013fdc50]
        capabilities=db<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,POLLING,VLAN_HWCSUM>
        capenable=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        HWassist 0x6    ether: 00:50:56:9b:27:7a
        inet 10.66.2.70 netmask 0xffffff00 broadcast 10.66.2.255
        media: [no carrier] Ethernet autoselect
        Rx: Packets 290861 Bytes 29662943 Multicast 194589
        Tx: Packets 121089 Bytes 13655929 Multicast 1
        Error: Rx 0 Tx 0 RxMC_drop 0 Dropped 0 Collision 0 Unsup_Proto 0
        Send queue: 0 of 50000 (0 drops) drv side 0 of 50000

Profiler stats: tot calls=1, tot/min/max/avg cpu time=4051/4051/4051/4051 microseconds
    Close
Related Articles
About Virtual Service EdgesAbout Virtual Service Edge ClustersConfiguring Virtual Service Edge ClustersUsing an External Load Balancer for Virtual Service Edge ClustersConfiguring Virtual Service Edge for Microsoft AzureConfiguring Virtual Service Edge for Amazon Web ServicesConfiguring Virtual Service Edge for Amazon Web Services with GWLBConfiguring Virtual Service Edge for Microsoft Hyper-VConfiguring Virtual Service Edge for Google Cloud PlatformAdding Virtual Service Edge InstancesAdding Virtual Service Edge ClustersDownloading a Virtual Service Edge VMDownloading Virtual Service Edge CertificatesConfiguring Virtual Service Edge and NTP Server SynchronizationVirtual Service Edge Configuration Guide for Dual Arm ModeDeploying Kerberos for Virtual Service EdgesForwarding Traffic to Virtual Service Edges