08-10-2009 01:28 PM
We've got a rather interesting problem that I'm hoping someone can help shed some light on. We recently integrated a pair of SRX3600s into an OSPF network. The SRX cluster learns its routes, including the default route, from OSPF. We previously had a static default route in there as well, which enabled us access to the management interface (fxp0). With that static default route in there, nothing behind the cluster was accessible at all. We removed the static default, kept the learned OSPF default, and everything behind the cluster was as accessible as it was before we installed the cluster.
But, removing that static default killed our ability to ssh or https to that fxp0 interface. We can ping it all day long and a traceroute looks completely normal - no routing issues that we can find. We can ssh to it from the device that's directly connected to it. But we can't from anything further downstream, despite the fact that the path looks correct.
08-11-2009 10:17 PM
I am curious about the statement that you can ping and traceroute to fxp0 but not SSH. If traceroute works then you should be able to SSH to it. Perhaps you can provide more details about how you are able to reach fxp0. I would assume that fxp0 is on separate subnet than your IOC ports. I would also assume that you are not trying to access fxp0 from outside one of those revenue ports as you cannot route from an IOC port to fxp0.
It would also help to know what your fxp0 interface IP is and from what subnet you are attempting to reach that IP. Try running "show route <ip-address of client>" to confirm that route for your client should be out fxp0.
10-05-2009 09:27 AM
Check out the following thread
- there's a sample fxp0 config along with the backup router config. You need to have both of these specified in the groups > nodeX configuration. Also make sure you have a specific network defined in the backup router destination configuration (not just 0.0.0.0).