SRX

Hello i have configured a cluster between 2 srx 650 and configured this also

set groups node0 system host-name dc-fw01
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.4.21/24

set groups node1 system host-name dc-fw02
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.4.22/24

My question is why can access the cluster through the 192.168.4.21/24  on node 0 and cannot ping the other Fxp or even telnet on node 1.

Thank You

Hi,

this is because on the passive unit the routing isn't active.

you can solve this by adding:

set system backup-router <gateway_ip> destination <your_source_network>

GreetZ,

Frac

Configure this command at node 1 whicj is the backup router?

Hi,

yes. on passive node because this doesn't have a routing active. the active node will use the routing table.

GreetZ,

Frac

And another silly question what should i use as a gateway?Another router which has a ip part o f the subnet of the fxp?

Yes, the gateway IP needs to be next-hop which is on same subnet as fxp0 IP. Also you should list specific networks for <your_source_network> as opposed to using 0.0.0.0/0. Also you configure backup-router on any node really since any configuration you add on either node automatically copies to the other node.  The configuration only takes affect if the node is secondary.

Refer to below KB article.

http://kb.juniper.net/KB13288

-Richard

Hi,

i have add an backup-router into the config as told in the KB article.

But the secondary node is still not reachable from the other subnet.

The backup-router IP address is correct (the same IP address and

destination as in the static routing-option).

Has anybody an idea what's the problem is?

Jochen

See the post which I have just posted an answer to my own question.

You need to add the destination networks as additional backup router statements. Just the backup router statement is not enough

OK, I have insert this:

backup-router 10.101.255.254 destination 192.168.100.0/24

Is this correct, or need I do some other config in the static routing-option?

Because this will not work for me...

Thanks in advanced

Jochen

So the assumption here is you want to access your fxp0 interfaces from 192.168.100.0/24 network and that the fxp0 is 192.168.4.0/24 network, correct? In that case your backup-router needs to also be on same 192.168.4.0/24 network. This is similar to a static route next-hop needing to be on same subnet as the interface. Backup router 10.101.255.254 would be unreachable by secondary again because there is no routing protocols daemon running on secondary. Please try setting backup-router to be your 192.168.4.0/24 gateway router then this should work.

-Richard

Hi all,

It seems that the backup-router statement is only taken into account at boot time.

I had the same problem, and went for the same solution, but nothing changed 'till I rebooted the backup node.

You may give this a try and let us know if it worked.

rgds

Hi all,

What are the uses of fxp0/1?
Is it only used for https webui and ssh?
Can we use it to do syslog and snmp trap?

Is there an article on how we can configure services on fxp and its capabilities?

Setup fxps:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15505

SNMP:

http://forums.juniper.net/t5/SRX-Services-Gateway/SNMP-through-FXP0/td-p/113442/

http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-Management-SNMP-Syslog/td-p/84682

Hello,

fxp0 is out-of-band management-only interface:

Telnet/SSH/FTP/SFTP/SCP/JWeb to the router itself is supported via fxp0.
Telnet/SSH/FTP/SFTP/SCP from the router itself is supported via fxp0.
SNMP to/from the router itself is supported via fxp0.
NTP to/from the router itself is supported via fxp0.
Telnet/SSH/FTP/SFTP/SCP/SNMP/NTP/any transit packets _through_ the router are NOT supported via fxp0.
"Event-mode" syslog from the RE is supported via fxp0 
"Stream-mode" syslog from the forwarding plane is NOT supported via fxp0.
Services are NOT supported on fxp0:
- You cannot configure 802.1q VLANs on fxp0
- fxp0 cannot be part of RETH
- only "Management"  functional zone is supported on fxp0
- NAT is not supported on fxp0
- dynamic routing protocols are NOT supported on fxp0
- MPLS is NOT supported on fxp0
- IPSec VPN is NOT supported via fxp0
- L2 switching is not supported on fxp0
- fxp0 is NOT supported inside routing-instance
- fxp0 is NOT supported inside Logical System

Firewall filter configured on lo0.0 also takes effect on fxp0 (a copy of this FW filter
is implicitly attached to fxp0.0).

To route locally-originated traffic out of fxp0 on MASTER Routing Engine, You have to have 
specific static routes configured under [edit routing-options static],
preferaly with "no-readvertise" knob.
To route locally-originated traffic out of fxp0 on BACKUP Routing Engine, You have to have 
specific static routes configured under [edit system backup-router destination].

fxp1 is internal interface for communication between RE and FPCs/DPCs/NPCs/SPCs. You must not configure anything on fxp1 or You risk losing forwarding capability of Your router, turning it into expensive dumb host.

If there is anything specific I haven't explicitly mentioned above about fxp0/fxp1 and You wish to know about then please ask.

HTH

Thanks
Alex

Hi,

Noted on the following supported:

Telnet/SSH/FTP/SFTP/SCP/JWeb to the router itself is supported via fxp0.
Telnet/SSH/FTP/SFTP/SCP from the router itself is supported via fxp0.
SNMP to/from the router itself is supported via fxp0.
NTP to/from the router itself is supported via fxp0.

"Event-mode" syslog from the RE is supported via fxp0 

only "Management" functional zone is supported on fxp0

Not supported on the following:

Telnet/SSH/FTP/SFTP/SCP/SNMP/NTP/any transit packets _through_ the router are NOT supported via fxp0.
"Stream-mode" syslog from the forwarding plane is NOT supported via fxp0.
- You cannot configure 802.1q VLANs on fxp0
- fxp0 cannot be part of RETH
- NAT is not supported on fxp0
- dynamic routing protocols are NOT supported on fxp0
- MPLS is NOT supported on fxp0
- IPSec VPN is NOT supported via fxp0
- L2 switching is not supported on fxp0
- fxp0 is NOT supported inside routing-instance
- fxp0 is NOT supported inside Logical System

To route locally-originated traffic out of fxp0 on MASTER Routing Engine, You have to have specific static routes configured under [edit routing-options static], preferaly with "no-readvertise" knob.
To route locally-originated traffic out of fxp0 on BACKUP Routing Engine, You have to have specific static routes configured under [edit system backup-router destination].

What is the command to route syslog out from fxp0 to a syslog server (e.g. 10.10.10.10)?

Hi,

---

@michael.saw wrote:

 

 

What is the command to route syslog out from fxp0 to a syslog server (e.g. 10.10.10.10)?

---

Assuming :

- your fxp0.0 subnet is 10.20.20.0/24

- your gateway on fxp0.0 subnet is 10.20.20.129

then the following config is required (adapted from here http://kb.juniper.net/InfoCenter/index?page=content&id=KB23118&cat=JUNOSES&actp=LIST&smlogin=true )

set system syslog host 10.10.10.10 any any

set security log mode event
set security log format sd-syslog
set security log stream securitylog format syslog
set security log stream securitylog category all
set security log stream securitylog host 10.10.10.10

set routing-options static route 10.10.10.10/32 next-hop 10.20.20.129 no-readvertise

set system backup-router 10.20.20.129 destination 10.10.10.10/32

 HTH

Thanks

Alex