SRX

I've been trying to configure an Active/Passive cluster on an SRX 3400 with no sucess even though I've been basing my configuration on a juniper example and kept it as simple as possible. This is a link to the example :

 

http://www.trapezenetworks.com/techpubs/en_US/junos13.1/topics/example/chassis-cluster-srx-active-passive-configuring.html

 

The reason I need Active/ Passive Clustering is I'll be using Route Based VPNs on my box, when I use the command :

 

> show chassis cluster information

 

I get a message that the cluster is in active/active mode even though there is only one redundancy group other than RG 0. What else should I look out for ?

 

 

This is the exact message I'm getting when I issue the "show chassis cluster information" command : node0: -------------------------------------------------------------------------- Redundancy mode: Configured mode: active-active Operational mode: active-active

By default chassis cluster shows the active-active configuration and operational becuase that indicates data plane is ready for failover.

However mode shows active-active but they work in active-passive in single redudancy-group configuration.

Regarding you question about route-based VPN, so the route-based VPN should work there is not limitation in this for route-based vpn not to work.

 

You can also configure the active-backup as well. It has advantages as well specifically while you are using the NAT becuase the NAT pool is doubled in active-backup compare to active-active.

KB link for referance.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21263&actp=search&viewlocale=en_US&searchid=1403499994529

 

 

Regards,

Deepak

Dear deepakcr

 

The command you shared is what I'm looking for to achieve active/passive clustering; but I would like to add that IPSec VPN doesn't work with Chassis Clustering enabled in an active/active mode, as per the Junos OS 11.4 release notes :

 

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/release-notes/11.4/index.html?topic-62160.html

 

You should check the section on Chassis Cluster :

 

Chassis Cluster

• On all high-end SRX Series devices, IPSec VPN is not supported in active/active chassis cluster configuration (that is, when there are multiple RG1+ redundancy-groups).

 

 

I have checked the link and it says that when you have multiple RG1+ {lets say RG1 and RG2}. If RG1 and RG2 are active on different nodes then IPSEC will not support becuase it will be active-active cluster.

 

With only one RG1 group device will be only active-passive not active-active by any chance.

 

I know its confusing that operational mode shows active-active but with RG1 group the cluster is always active-passive.

 

Regards,

Deepak

Hi elkadiki,

 

You need to configure the following command to change the cluster active-passive mode:

set chassis cluster redundancy-mode active-backup
 

This requires a reboot of both nodes simultaneously .

 
show chassis cluster information

- Redundancy mode:
- Configured mode: active-backup
- Operational mode: active-backup
 
Regards,
rparthi

 

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....

Thanks rparthi and  deepakcr  Really appreciate your replies, and that hidden command ! Do you have any other  source for it online for further information on the command ? How stable is it in your experience ?