SRX

Hi,

 

I an new to Juniper Firewalls and i'm trying to setup two SRX210H in active/passive mode

The configuration i am using is below,

 

The problem is that the configuration isn't stable , sometime's I can ping reth0 and access internet but most of the time

failover is triggered when disconnecting a cable but reth interfaces aren't pingable, The junipers are contacting the juniper site for licensing updates

Can someone give me a hint in the right direction

I have used KB15505 and the Junos Security book ( oreilly ) and the juniper day one guideline to create ths config

 

Kind Regards

 

Andre Lucas

 

## Last changed: 2011-03-30 11:05:42 CEST
version 10.4R3.4;
groups {
node0 {
system {
host-name node0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.61.251.252/23;
}
}
}
}
}
node1 {
system {
host-name node1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.61.251.253/23;
}
}
}
}
}
}
apply-groups "${node}";
system {
time-zone Europe/Amsterdam;
root-authentication {
encrypted-password "$1$jtWJEaj.$5hlsDlylSuzySjXwOHi8K1";
}
name-server {
213.75.63.36;
213.75.63.70;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http;
https {
system-generated-certificate;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 194.151.228.10;
}
}
chassis {
cluster {
control-link-recovery;
reth-count 8;
node 0;
node 1;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
ge-0/0/0 weight 255;
fe-0/0/2 weight 255;
ge-2/0/0 weight 255;
fe-2/0/2 weight 255;
ge-0/0/1 weight 255;
ge-2/0/1 weight 255;
fe-0/0/3 weight 255;
fe-2/0/3 weight 255;
}
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/1 {
gigether-options {
redundant-parent reth2;
}
}
fe-0/0/2 {
fastether-options {
redundant-parent reth1;
}
}
fe-0/0/3 {
fastether-options {
redundant-parent reth3;
}
}
ge-2/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-2/0/1 {
gigether-options {
redundant-parent reth2;
}
}
fe-2/0/2 {
fastether-options {
redundant-parent reth1;
}
}
fe-2/0/3 {
fastether-options {
redundant-parent reth3;
}
}
fab0 {
fabric-options {
member-interfaces {
fe-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
fe-2/0/5;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.61.251.254/23;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address x.x.x.x/x;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.61.3.254/24;
}
}
}
reth3 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address x.x.x.x/x;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop x.x.x.x;
}
}
protocols {
stp;
}
security {
nat {
source {
rule-set internet_nat {
from zone Internal;
to zone Internet;
rule InternalToInternet_access {
match {
source-address 10.61.250.0/23;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone Internet {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
reth1.0;
}
}
security-zone Internal {
host-inbound-traffic {
system-services {
ping;
http;
dns;
}
}
interfaces {
reth0.0;
}
}
security-zone DMZ {
interfaces {
reth2.0;
}
}
security-zone Ezorg {
interfaces {
reth3.0;
}
}
}
policies {
from-zone Internal to-zone Internet {
policy Internal_to_Internet {
match {
source-address any;
destination-address any;
application ToInternet;
}
then {
permit;
}
}
}
}
}
applications {
application-set ToInternet {
application junos-ping;
application junos-http;
application junos-https;
application junos-dns-tcp;
application junos-dns-udp;
}
}

#cluster
#fxp0

Hard to read your configuration when it's not formatted correctly but anyway, check the output of show chassis cluster status, show chassis cluster interfaces etc. What do you use to ping your reth interfaces? A laptop on a switch?

Hi,

 

I have checked the output but al thing seems correct( see below )

I'm having a setup where the laptop is connected in a switch that is connecting to both srx210H devices

Switch is reporting no errors

 

Kind Regards  Andre

 

root@node0> show chassis cluster status
Cluster ID: 1
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   100         primary        no       no
    node1                   1           secondary      no       no

Redundancy group: 1 , Failover count: 3
    node0                   100         primary        no       no
    node1                   1           secondary      no       no

 

show chassis cluster statistics
Control link statistics:
    Control link 0:
        Heartbeat packets sent: 7253
        Heartbeat packets received: 7238
        Heartbeat packet errors: 0
Fabric link statistics:
    Probes sent: 7275
    Probes received: 7166
    Probe errors: 0

 

show chassis cluster interfaces
Control link 0 name: fxp1
Control link status: Up

Fabric interfaces:
    Name   Child-interface   Status
 fab0      fe-0/0/5          up
fab0
fab1       fe-2/0/5          up
fab1
Fabric link status: Up

Redundant-ethernet Information:
    Name         Status      Redundancy-group
    reth0        Up          1
    reth1        Up          1
    reth2        Up          1
    reth3        Up          1
    reth4        Down        Not configured
    reth5        Down        Not configured
    reth6        Down        Not configured
    reth7        Down        Not configured

Interface Monitoring:
    Interface         Weight    Status    Redundancy-group
    fe-2/0/3          255       Up        1
    fe-0/0/3          255       Up        1
    ge-2/0/1          255       Up        1
    ge-0/0/1          255       Up        1
    fe-2/0/2          255       Up        1
    ge-2/0/0          255       Up        1
    fe-0/0/2          255       Up        1
    ge-0/0/0          255       Up        1

 

 

 

 

By the way,  How can i place a correct format ore do you means the input syntax to the junipers ?

Ye looks fine 🙂

Remove this from your chassis cluster stanza, shouldn't be needed there:
node 0;
node 1;

You could also check the log jsprd when your'e having the issue.

 

Just paste the code into the window you get after clicking insert code.

ok removed the entry's

 

But jsrpd is showing no information besides info about re-reading configuration ( removing node0 and node1 antry )

Do your problems occur all the time? or after a failover? And which reth interface can't you ping?

Hi,

 

Problem is occurring always, not even after a failover

forcing failover doesn't solve the problem

i'm trying to ping rthe0 10.61.251.254 didn't even try the other interface's

Could it be a Junos version problem ??

Actually, you're on the same net as your fxp0 ? Then that's the issue.

fxp0 is an out-of-band interface, although it still shows up in the routing table, causing trouble.

you can see this by doing "show route 10.61.251.0" in operational mode, which should show fxp0 as a direct route to it.

I'd recommend just moving your fxp0's to a different subnet. There are workarounds involving virtual-routers if you want to get into them though.

Thx,

 

That did the job,

now i can figure out the other things

I think you will see me back on the forum later

Thank you for all the help

 

Kind regards Andre Lucas

thank you very mutch

You're welcome!