SRX

Good day,

I'm running into an issue since couple of days, I just can't work it out. I have an SRX650 cluster connected to two Cisco Catalyst 4506 in VSS mode. Each SRX chassis has a connection to adjacent 4506. I have an LACP Etherchannel between with an reth configured on the SRX and a Po on the VSS, Layer 3 configuration.

The SRX connects to my WAN on one side and my Production network, the VSS, on the orher, no filtering enabled yet ( still in building phase ) between the security zones. Hosts directly connect to the VSS, e.g. Production Network

My issue is :

       - A device connected to the 1st VSS chassis is pingable from the WAN

       - A device connected to the 2nd VSS chassis is not pingable from the WAN

       - When i bring down either of the ports participating in the LACP Etherchannel down, device connected to the 2nd chassis becomes pingable.

- Configurations :

    - SRX

set groups node0 chassis cluster redundancy-group 6 preempt
set groups node1 chassis cluster redundancy-group 6 preempt

set chassis cluster redundancy-group 6 node 0 priority 100
set chassis cluster redundancy-group 6 node 1 priority 1
set chassis cluster redundancy-group 6 interface-monitor ge-2/0/10 weight 255
set chassis cluster redundancy-group 6 interface-monitor ge-11/0/10 weight 255

set interfaces  ge-2/0/10 gigether-options redundant-parent reth6
set interfaces ge-11/0/10 gigether-options redundant-parent reth6

set interfaces reth6 redundant-ether-options redundancy-group 6
set interfaces reth6 redundant-ether-options minimum-links 1
set interfaces reth6 redundant-ether-options lacp active
set interfaces reth6 redundant-ether-options lacp periodic slow
set interfaces reth6 unit 0 family inet address 172.26.0.209/29

  - VSS

!
interface Port-channel60
 ip address 172.26.0.210 255.255.255.248
!

interface GigabitEthernet1/4/4
 description Po60 | SRX#1.ge-2/0/10 | reth6
 no switchport
 no ip address
 channel-group 60 mode active

!

interface GigabitEthernet2/4/4
 description Po60 | SRX#2.ge-2/0/10 | reth6
 no switchport
 no ip address
 channel-group 60 mode active

!

- Some 'show' commands output

  - SRX

root@SRX> show chassis cluster status redundancy-group 6
Cluster ID: 1
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 6 , Failover count: 2
    node0                   100         primary        yes      no
    node1                   1           secondary      yes      no

{primary:node1}

root@SRX> show lacp interfaces reth6
Aggregated interface: reth6
    LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
      ge-11/0/10     Actor    No    No   Yes  Yes  Yes   Yes     Slow    Active
      ge-11/0/10   Partner    No    No   Yes  Yes  Yes   Yes     Slow    Active
      ge-2/0/10      Actor    No    No   Yes  Yes  Yes   Yes     Slow    Active
      ge-2/0/10    Partner    No    No   Yes  Yes  Yes   Yes     Slow    Active
    LACP protocol:        Receive State  Transmit State          Mux State
      ge-11/0/10                Current   Slow periodic Collecting distributing
      ge-2/0/10                 Current   Slow periodic Collecting distributing

root@SRX> show chassis cluster interfaces
Control link status: Up

Control interfaces:
    Index   Interface        Status
    0       fxp1             Up

Fabric link status: Up

Fabric interfaces:
    Name    Child-interface    Status
                               (Physical/Monitored)
    fab0    ge-0/0/2           Up   / Up
    fab0
    fab1    ge-9/0/2           Up   / Up
    fab1

Redundant-ethernet Information:
    Name         Status      Redundancy-group
...
    reth6        Up          6
...

Redundant-pseudo-interface Information:
    Name         Status      Redundancy-group
    lo0          Up          0

Interface Monitoring:
    Interface         Weight    Status    Redundancy-group
...
    ge-11/0/10        255       Up        6
    ge-2/0/10         255       Up        6
...

  - VSS

VSS#show etherchannel 60 summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

Number of channel-groups in use: 10
Number of aggregators:           10

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
60     Po60(RU)        LACP      Gi1/4/4(P)  Gi2/4/4(P)

VSS#show lacp 60 internal
Flags:  S - Device is requesting Slow LACPDUs
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode

Channel group 60
                            LACP port     Admin     Oper    Port        Port
Port      Flags   State     Priority      Key       Key     Number      State
Gi1/4/4   SA      bndl      32768         0x3C      0x3C    0x13D       0x3D
Gi2/4/4   SA      bndl      32768         0x3C      0x3C    0x13E       0x3D

VSS#show lacp 60 neighbor
Flags:  S - Device is requesting Slow LACPDUs
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode

Channel group 60 neighbors

Partner's information:

                  LACP port                        Admin  Oper   Port    Port
Port      Flags   Priority  Dev ID          Age    key    Key    Number  State
Gi1/4/4   SA      127       0010.dbff.1000  27s    0x0    0x87   0xB     0x3D
Gi2/4/4   SA      127       0010.dbff.1000   3s    0x0    0x87   0xF     0x3D

Any idea is over welcomed.

Thanks,

Cheers

I'm a little weak in Cisco, so this may not be correct.  I think that Cisco Port Channel is aggregated ethernet.

I assume your SRX is active/passive.

When in Active/Passive the passive node interfaces do not pass traffic.  Your Cisco is trying to use both links but the passive node won't accept the traffic.  Reth interfaces failover they don't aggregate.

You need to either change the SRX reth to use AE bundles and have two lines from each SRX to the Cisco with two Port Channels.

Or you need to have two standard cisco ports to the SRX reth interfaces as configured.  Since only one will be active at a time there is no spanning tree issue.

This documention has the two options outlined on page 10 for the single interface and page 16 for the AE bundle.

http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide.pdf

Hello Steve,

Was afraid to hear that loud..... as where my thorough testing lead me to.

Many thanks looking into it and providing answer and document.

From my reading, SRX Cluster does not support AE bundle. I tested having 4506 chassis ports defined as access to a Layer 2 vLAN, an SVI intstead of the Layer 3 Po, remove LACP on the SRX side and it worked. Solution i need to come up with now is making use of the 2 x 1Gig connections, the only solution ( keeping Etherchannel, LACP and Layer 3 Po ) would be to have each SRX attached to each 4506 chassis making a big 4 x 1Gig bundle. I confirm I'm on active/passive mode on the SRX Cluster thus, all ports on the passive member would'n't be used until failover.

Appreciated your answer. Thanks

Hello,

I tried out interconnecting the SRX with the 4506 chassis, this did not help, even worse, dead-end no traffic was going through. I am back to start, spent long time trying to understand the issue when, read something about swfab interfaces, which permit Layer 2 across the chassis cluster.... because the issue i am facing is that traffic is not crossing from the active node to the passive node to reach a host connected to the switch ( 4506 ) facing the passive node !.

What is your thought of this last possibility ?.

Thanks

The bottom line in an Active/Passive cluster is that traffic will NEVER cross the passive node traffic interfaces.  These are held link up but essentially offline UNLESS the primary node fails.

The Chassis interconnections should be directly connnected to each other.  If they go through switches then you do need to have jumbo frames enabled throughout the path.  But I don't think that is your issue.

From all you notes here is sounds like what you really want is to configure the cluster Active/Active.

Hello,

As per my understanding, SRX Cluster is by default active/active depending which cluster member is primary ( highest priority )  for each Redundancy-Group. I tried adding new connections making each SRX attached to each 4506 chassis part of the VSS and this did not help at all !. Again, I am not a Juniper expert, still improving in my readings, tests and getting hands on it. I read little things about fabric switch wouldn't that be of some help in the issue I am facing ?.

Whilst I'll verify the chassis interconnection if that can be root cause.

Thanks again for your help.

Phil.

The vast majority of the standard implementations for SRX clusters are deployed Active/Passive.  You can run Active/Active and you can split redundancy groups if really needed.  But these would be the EXCEPTIONS in RARE cases not a standard deploy.

I encourage you to go back to these documented and fully tested configurations in the Juniper HA deployment guide.  And try to use a tested fully supported configuration like that on page 10 or page 16 for you deploy.  I think in the long run you will find this more reliable and more easily supported.

http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide.pdf