SRX

Hi,

Does anyone have a working example of a SRX Cluster with a remote NSM (different subnet or external)?  I've been troubleshooting with the "backup-router" command to ensure the passive node has a route to the NSM, but no luck.  PCAP's don't even show traffic leaving the backup fxp0.0, so I don't think it's working.

I'm running 10.0R3.10 on the SRX with 2010.3 on the NSM.  The first node has no issues, but the second is always "waiting for 1st disconnect".  I was told that at the very least I should be able to ping the NSM from the secondary when the backup-router command is working.

Thank you.

John

Yes, you should be able to ping it at least. One thing to keep in mind is that you can't just configure a 0.0.0.0/0 route pointing to the backup router, you need to specify the NSM server IP /32. You can check if the correct route is by verifying the forwarding table (show route forwarding)

Hi,

I added the /32, but still no luck.  I also bounced both members of the cluster.  As mentioned, I don't even see any packets hitting the upstream router either.  Should the backup-router be added to the cluster config, under each node or just node1?

Thanks for your help.

John

It should be in the cluster config as redundancy-group 0 could fail over not node1 and in that case node0 would need to use the backup-router to reach NSM.

To get the SRX to re-connect to nsm, deactivate groups node1 system services outbound-ssh & reactivate it.

The other option with NSM 2010.3 is to import the SRX as a virtual chassis device (requires a command to be run on the SRX - which is in the release notes). This allows you to manage the srx in-line (on a reth interface) but there are some limitations like not being able to see the logs of the passive node irrc.

Hi,

I like the Virtual Chassis approach, but was unable to find anything outside of the NSM EX document pointing to the NSM Admin guide.  The Admin Guide only mentions the cluster object approach and I don't see any release notes.

I added a device (unreachable), checked virtual chassis, and entered the outbound-ssh CLI.  I get a "Device Type Mismatch" on the NSM, so I'm guessing the command you menitioned enables this.  I also tried remove and adding, no luck.  The NSM is 2010.3 and the SRX210 is 10.0R3.10.  I used SRX 210-hm (matches), JUNOS and 10.0 when creating the device.

WDYT?

Thanks for your help.

John

Hi,

I finally found the release notes and think the problem is a known issue.

514021—The model number of SRX devices is incorrectly displayed
under Hardware Inventory.
􀂄 515796—NSM UI displays the virtual chassis option for all OS
versions of SRX low-end (100/210/240/650) devices, but does not
support SRX devices running versions earlier than Junos Release
10.1.
􀂄 515845—NSM UI does not display the correct hardware inventory
output for devices in an SRX virtual cluster.
􀂄 516144—NSM allows adding an SRX virtual chassis as a cluster
member.

517276— NSM does not display logs for the backup device in an
SRX virtual chassis in the Log viewer.

Hi firewall72 ,

So are you now able to add the secondary node ?

I have an idea , if your problem is that the  secondary node is " waiting for 1st connect "  why not to do the below :

Add the cluster , primary node is ok , then  failover to enable secondary node to  connect to NSM & failover back

Just a thought

I hope that someone can post a solution for this issue  ( " seconday node is waiting for 1st connect " ) as i  i saw many others facing it

Hi,

I still have the issue.  I've been back and forth with our partner and JTAC as well.  Based on what I can see, this doesn't work as designed and using the recommended backup-router CLI is buggy (even if it does work).  I tried the VC approach, but I think he I need to upgrade to 10.1 to have a shot at that working.

Last week I did fail the cluster over and I was able to add the second node.  However, one node will always show as "Down" without this working.  I'm a big fan of the SRX and NSM, but I prefer the ScreenOS Mgt IP approach.  If anyone has any other suggestions, I'm all ears.

Thank you.

John

Hi Firewall72 ,

Check the below KB

KB18228

Summary:

Problem or Goal:

Solution:

Purpose:

Worked like a charm.  Thanks for the help and additional info!

-John

hi,

"517276— NSM does not display logs for the backup device in an
SRX virtual chassis in the Log viewer."

Considering that SRX3600 ( active/active ) is sending logs to NSM using syslog , does this expression mean that only system logs (not security logs) from the SRX backup device  aren't displayed?

Sorry to necro an old thread but is the VC configuration disruptive? Also, does it require removal of fxp interfaces in the groups configuration?

I have been looking at implementing this due to the annoyance of how management works with the standby (needing backup-router) but am a bit nervous to go changing things that may require reboots and the like.

Hi guys,

I have a SRX650 (10.3R1.9) cluster which I added in NSM (2010.3) using the virtual chassis option. The device can be discovered by NSM, but the device is not connecting to NSM.

I have a second cluster, which does connect to NSM. The only difference between the configs is that the cluster not conencting to NSM is configured with virtual routers and the cluster which does connect to NSM has no virtual routers.

Any suggestions?

Kind regards,

Vincent

Hmm this VC feature sounds interesting....wish I had seen this a few months ago! 

I had an SRX cluster in the lab connected to NSM with no issues, but the NSM was local to FXP0 on each node.  SHortly in production I will have to setup an SRX cluster where NSM will not be local to FXP0.  I was planning on using the backup router feature.   Readign this thread though  looks like I will need to have a plan B in mind.