05-19-2017 06:18 AM
I have a connection to an Service Providor that uses VRRP to enable High Availablity connections, so they require to be connected to a switch.
I have connected each one of their routers into a pair of SRX devices acting as a cluster (added the SWFAB interfaces), condifured a VLAN that includes both ports and a l3interface and I can now ping each of thier physical addresses from within my network.
When the primary SP router is up and working all good, but in the event it fails or reboots, even though the VIP address switches to the Secondary, the SRX Cluster can't contact the VIP address.
I have moved both connections onto the primary firewall in the Cluster and that works, however when its one link on the primary and one on the secondary I get cut off if the VIP address switches.
Has anyone done this ? Should it work ?
As an aside I am finding very hard to fault this as, I would expect the VIP MAC address to appear in the Firewall somewhere, it appear in the arp table and the forwarding a table as pointing towards vlan.xx, but I would have expected to see it in the show ethernet-switch table so I could tell which interface it thinks it is out of.
05-22-2017 08:48 AM
What was found was that the MAC table was never updating with the MAC address of the VIP. This was fixed by using JUNOS 12.1X46D65.1