SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Redundancy group 1 failover enquiry

    Posted 03-22-2012 07:17

    Hi guys,

     

    Recently, I've setup a very simple redundant firewall (active-passive) as shown in the attachment. The way that I test redundancy group 1 failover is via a ping test from User A to User B. I have two questions regarding this setup:

     

    i) When I unplug cable ge-0/0/2 from the active firewall, I get one request time out and then the ping works just fine. Is this normal behaviour?

     

    ii) And then when I plug the ge-0/0/2 back to the active firewall, I get 5 request time out before User A is able to ping User B. Is this normal behavior?

     

    I read from the junos manual, they mentioned that there's no packet loss when there's a failover between active to passive and vice versa. I've tried many ways such as decreasing the hold down timer, increasing the gratitous arp count but still it displays the same behavior. Is there anything that I miss out?

     

    I've included the SRX3600 config for your easy reference. Any valuable advice is greatly appreciated. Thanks.

     

    Regards,

    Daniel

    Attachment(s)

    TXT
    SRX3600_Config_21_3_2012.TXT   4 KB 1 version


  • 2.  RE: Redundancy group 1 failover enquiry
    Best Answer

    Posted 03-22-2012 14:55

    You got preempt configured. That means it makes sense to look at the switch ports that you are plugging into. Are those configured as edge/portfast? Portfast is a Cisco term and means edge - that is, don't wait for STP before declaring the port functional on link-up event. If the port "waits" before becoming active, that could account for the lost pings on link re-connection.

     

    Personally, I am not a fan of pre-empt. Too easy to fall prey to a flapping link that way. If you are absolutely set on pre-empt, at least set a hold timer of a few minutes.

     

    As for cluster management: You really want hostname and fxp0 to be in your node0/1 groups. You have empty groups right now, and that means you can't manage your cluster well. There's no (complete) inline management for the data center SRX devices.

     

    Take a look at Juniper's tech notes re cluster setup and cluster management.

     



  • 3.  RE: Redundancy group 1 failover enquiry

    Posted 03-23-2012 11:26

    Thanks a lot man, why didn't I think of portfast...? **bleep**..Lol..I thought it was an issue with the firewall. Portfast is definately an issue here and I need to disable it.

     

    Thanks for the feedback.

     

    rgds.