SRX

Hello,

i am trying to set up HA on two SRX210 (using the Junos Software Security Configuration Guide) but it doesn't work at all.Control link is connected between fe-0/0/7 (no other choice) of the boxes and fabric/data between fe-0/0/.

Let's see, what i have done:

Both boxes are running latest JunosES 9.6:

{primary:node0}
root> show system software
node0:
--------------------------------------------------------------------------
Information for junos:

Comment:
JUNOS Software Release [9.6R1.13]



node1:
--------------------------------------------------------------------------
Information for junos:

Comment:
JUNOS Software Release [9.6R1.13]

I started with 2 fresh, factory defaulted boxes and configured the chassis cluster. Set one box node 0 of cluster id 1 and the other node 1 of cluster 1and rebooted them.

Then it shows up like this (this is correct, i assume):

{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node name                  Priority     Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   1           primary   no       no
    node1                   1           secondary no       no

 Then i set the root password (which is mandatory now) and changed the priority of redundancy group 0, and after that, it shows up like this:

{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node name                  Priority     Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   100         primary   no       no
    node1                   50          secondary no       no

 See lights on fe-[0/2]/0/7 are blinking and on fe-[0/2]/0/6 constantly green.

i check the communication and see, that fabric probes are received (i assume, this is because no fabric interfaces are configured right now).

{primary:node0}
root> show chassis cluster control-plane statistics
Control link statistics:
    Heartbeat packets sent: 265
    Heartbeat packets received: 237
Fabric link statistics:
    Probes sent: 263
    Probes received: 0

so, i configured the fab interfaces:

{primary:node0}[edit]
root# set interfaces fab0 fabric-options member-interfaces fe-0/0/6

{primary:node0}[edit]
root# set interfaces fab1 fabric-options member-interfaces fe-2/0/6

 after commiting, the led on fe-[0/2]/0/6 starts blinking frequently (looks like traffic is beeing processed now), but still no fabric probes are received:

{primary:node0}
root> show chassis cluster control-plane statistics
Control link statistics:
    Heartbeat packets sent: 363
    Heartbeat packets received: 335
Fabric link statistics:
    Probes sent: 361
    Probes received: 0

after a while the node 1 goes down and i see the messages in jsrpd log:

{primary:node0}
root> show log jsrpd
<...snip...>
Sep 16 18:37:03 Successfully sent an snmp-trap due to a failover from secondary
to disabled on RG-0 on cluster 1 node 1 Reason: fabric-link-failure
Sep 16 18:37:03 detected change in RG-0 state for node1
Sep 16 18:37:03 LED color changed from : Green to Red, reason Peer node: node1 i
s disabled

chassis cluster status is now:

{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node name                  Priority     Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   100         primary   no       no
    node1                   50          disabled  no       no

There are no additional redundancy groups ore any reths configured. Am i missing something or misconfigured? What is wrong? Would greatly appreciate if someone could help me.

Thanks.

One additional info:

After doing a reboot on node1 (because this seems to be the only way to get it out of the "disabled" state") and waiting some time to let the unit come up completly, everything looks nearly fine for a short time (except still no fabric probes are received).

{secondary:node1}
root> show chassis cluster status
Cluster ID: 1
Node name                  Priority     Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 0
    node0                   100         primary   no       no
    node1                   50          secondary no       no 
 
{secondary:node1}
root> show interfaces terse | match aenet
fe-0/0/6.0              up    up   aenet    --> fab0.0
fe-2/0/6.0              up    up   aenet    --> fab1.0

{secondary:node1}
root> show chassis cluster control-plane statistics
Control link statistics:
    Heartbeat packets sent: 70
    Heartbeat packets received: 70
Fabric link statistics:
    Probes sent: 69
    Probes received: 0

{secondary:node1}
root>

{primary:node0}
root> show interfaces terse | match aenet
fe-0/0/6.0              up    up   aenet    --> fab0.0
fe-2/0/6.0              up    up   aenet    --> fab1.0

{primary:node0}
root> show chassis cluster control-plane statistics
Control link statistics:
    Heartbeat packets sent: 2582
    Heartbeat packets received: 2394
Fabric link statistics:
    Probes sent: 2580
    Probes received: 0

 and so, the node 1 is being taken disabled and disappears out of the cluster:

{primary:node0}
root> show interfaces terse | match aenet
fe-0/0/6.0              up    up   aenet    --> fab0.0

{primary:node0}
root> show chassis cluster status
Cluster ID: 1
Node name                  Priority     Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   100         primary   no       no
    node1                   50          disabled  no       no

And another info:

if i use ge-[0/2]/0/1 for fabric link (as described in the example in the JUNOS Software Security Configuration Guide on page 913), all works well:

{primary:node0}
root> show interfaces terse | match aenet
ge-0/0/1.0              up    up   aenet    --> fab0.0
ge-2/0/1.0              up    up   aenet    --> fab1.0

{primary:node0}
root> show chassis cluster control-plane statistics
Control link statistics:
    Heartbeat packets sent: 3844
    Heartbeat packets received: 3483
Fabric link statistics:
    Probes sent: 3842
    Probes received: 242

{primary:node0}

but on page 937 of the guide on the end of the page it's said : "... For SRX210 devices, both interfaces must be of a similar type ...<snip>... and can use any port other than fe-{0,2}/0/7".

This seems not to work...

fe-0/0/6 and fe-2/07 as fabric interface will work fine. I think in your scenario of configuring the fab link after the chassis cluster was up could have caused the problem and rebooting node1 did not help because the issue could be on node0. You could have checked the show chassis cluster statistics commands on both the nodes to see which node could have the problem. 

... For SRX210 devices, both interfaces must be of a similar type ...<snip>... and can use any port other than fe-{0,2}/0/7".

For the above what it means is fe-0/0/7 and fe-2/0/7 cannot be used because this is the preconfigured control link for Chassic cluster (cc). When you configure Chassis cluster this ports are assigned to control ports when the device comes up.

 Would you be able to test one more time with fe-0/0/6 and reboot both nodes to check if CC gets formed.If the fabrics probes don't make it between the two nodes then the secondary node will go into disabled state, that is per design. 

Hope this helps.

Thanks for your post, but that doesn't help. i tried every kind of rebooting in different order. Always the same. The fabric link at fe-0/0/6 doesn't work.

i have no idea...

On SRX100 and SRX210 fe-0/0/6 and fe-2/0/6 are reseverd as fxp0 (RE managament) if cluster is enabled and can not used as reth or fab links.

You can use any port exept fe-0/0/6 and fe-0/0/7 as reth or fab link. ge- and fe- will work.

Personally I recommend to use fe-0/0/5 and fe-2/0/5 as fab link because then all HA Interfaces are closely together.

Hope this helps

Hello Optimist,

thanks for your post. This is exactly what i figured out with the help of a juniper se. Now it works.

Somehow the docu is neither complete nor correct 😞

Regards.

Hi,

I have the same problem with two SRX3600.

what's are the correct ports for the DATA LINK?

Regards,

Jorge

appear this error:

{secondary:node1}
root@SRX3600-2> show interfaces terse | match aenet
ge-0/0/4.0              up    up   aenet    --> fab0.0
ge-0/0/6.0              up    down aenet   



{secondary:node1}[edit]
root@SRX3600-2#

{primary:node0}
root@SRX3600-1> show interfaces terse | match aenet  
ge-0/0/4.0              up    up   aenet    --> fab0.0
ge-0/0/6.0              up    down aenet    --> fab1.0

for srx-3600 :

the  control link is the built-in front-panel RE  ports

the fabric link can be any available GE  or XE  interface

This KnowledgeBase article may help to answer these questions.

   How are interfaces assigned on J-Series and SRX platforms when chassis cluster is enabled?

There is a wealth of information at Kb.juniper.net. Some more useful ones are below.

    SRX Getting Started - Configure Chassis Cluster (High Availability) on a SRX210 device

    SRX Getting Started - Configuration Examples & Troubleshooting

-Richard

I installed a SRX240 cluster the other day. Everything was working fine, we tested the failover and it worked correctly.

After 10 hours of being online the cluster just stopped working, we couldn't access anything. We have had to go back to our old SSG520.

So we're pretty unhappy with it at the moment. We will be following it up with JTAC.....

hello,

need to update OS 9.6 r1 to latest.

find below running configuration

set chassis cluster reth-count 4
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 preempt
set chassis cluster redundancy-group 2 node 0 priority 100
set chassis cluster redundancy-group 2 node 1 priority 1
set chassis cluster redundancy-group 2 preempt
set chassis cluster redundancy-group 3 node 0 priority 100
set chassis cluster redundancy-group 3 node 1 priority 1
set chassis cluster redundancy-group 3 preempt
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
set interfaces ge-0/0/1 gigether-options redundant-parent reth1
set interfaces fe-0/0/2 fastether-options redundant-parent reth2
set interfaces fe-0/0/3 fastether-options redundant-parent reth0
set interfaces ge-2/0/1 gigether-options redundant-parent reth1
set interfaces fe-2/0/2 fastether-options redundant-parent reth2
set interfaces fe-2/0/3 fastether-options redundant-parent reth0
set interfaces fab0 fabric-options member-interfaces fe-0/0/6
set interfaces fab1 fabric-options member-interfaces fe-2/0/6
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address x.x.x.x/24
set interfaces reth1 redundant-ether-options redundancy-group 2
set interfaces reth1 unit 0 family inet address y.y.y.y/25
set interfaces reth2 redundant-ether-options redundancy-group 3
set interfaces reth2 unit 0 family inet address z.z.z.z/30

set security zones security-zone trust interfaces reth1.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces reth1.0 host-inbound-traffic protocols all

set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic protocols all

Ashu