SRX

Hi,

  We have two SRX-100 Firewalls in cluster mode in one of the remote branches, and we are planning to replace the primary unit in that cluster.

Can you please advise on the proper and best way to accomplish this task, Thanks.

Hi,

 

I've never tried this in production, but the approach below worked in my lab.

 

- took the node offline

- installed the new hardware

- added the node with the reboot flag

- checked the config

- tested failover

 

Good luck.

 

John

Hi,

  Thank you for the reply. One more question, after rebooting the firewall, the config are going to be pushed from the secondary box, or do I have to configure the box with the same config as the secondary unit.

 

Thanks,

Hi,

i think a commit on the secondary node should do the job.

do the commit on the primary node actually after you add the new box into the cluster. If you do the commit on the new node, it will sync that config over to the cluster which will wipe your configs

Hi There,
[ Considering Node 0 as Primary & Node 1 as Secondary before any replacement. ]

Please have the following precautions before replacing the device :-

1. Do a manual fail-over to Node 1 in all RGs . [ This is a precautionary measure ].
2. Then switch off the Node 0. [ request system halt ].
3. Now, check the cluster status . node 1 should be primary & node 0 should be lost.
4. Then remove the node 0 & put the new device in place.
5. Before enabling the chassis mode , please make sure there are no ethernet switching mode present on the device. [ Please note that all new devices are shipped with a default configuration of vlan which have all ports other than ge-0/0/0 in ethernet switching mode ]
6. Then connect the control link & Fabric link.
7. Run the command :- set chassis cluster cluster-id <cluster-id> node 1 reboot
8. The new device will become a secondary node after it comes back.
9. Now  you can give a commit on the Node 1 [ which is working as primary now ]. This should sync the configuration.
10. After a successful commit, you can go ahead & do another manual fail-over in case you want this new device to become Primary.

Hope this helps you.
Although this should work fine, but my personal opinion is that you should try to get some downtime to replace the device.

Take Care,
Njoy Networking...............

Hi There,

 

the steps from The Students seems to be correct.

Just only one thing:

7. Run the command :- set chassis cluster cluster-id <cluster-id> node 1 reboot

 

Node id should be 0 because you are replacing node 0!

And cluster-id must be same as on node 1

 

Regards

sok

Hi Sok,

 

Thanks for pointing out the typo-error in command.

... and I could add that before doing the "commit" on primary node (point 9), just make little change in configuration to trigger the "commit". If not, the configuration will never been sync with the secondary node.

 

I just did all points, and everything are working fine...

 

Thanks,

Dominic

i can confirm that making small change to config is necessary, else the commit is useless ...

 

in my case it was the secondary node which was replaced. here's what happened when trying to commit without making a change to the config:

 

{primary:node0}[edit]
root@ajaz# commit
node0:
commit complete

-------------------------------

 

And after making a change and commiting:

 

root@ajaz# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

 

Take a while to write the entire config, but when it works the feeling in awesome : )

 

thanks guys

 

 

 

 

 

I replaced srx3600 last 6 month everything fine smooth