SRX Services Gateway
Reply
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Secondary node forwards packets in active/passive?

Hi,

 

I've never really looked at these statistical outputs on an SRX so I just stumbeled across this: I have an active/passive cluster (e.g. all redundancy groups are on node 0) so my understanding is all packets should only be forwarded on node0. Right? Then why do I see this:

 

show security flow statistics      
node0:
--------------------------------------------------------------------------
    Current sessions: 2302
    Packets forwarded: 183360650
    Packets dropped: 10097368
    Fragment packets: 0

node1:
--------------------------------------------------------------------------
    Current sessions: 2541
    Packets forwarded: 15946963
    Packets dropped: 15846554
    Fragment packets: 0

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Distinguished Expert
muttbarker
Posts: 2,351
Registered: ‎01-29-2008

Re: Secondary node forwards packets in active/passive?

Your session state is synchronized between the two RE's so that is why the current session counter reflects sessions.If you do a flow session you will see the same flows on both nodes.  

 

Counters are cumulative so you must have had traffic on RE1 at some point.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Distinguished Expert
Distinguished Expert
pk
Posts: 797
Registered: ‎10-09-2008

Re: Secondary node forwards packets in active/passive?

I can add that if you have "local" interfaces (not assigned to any redundancy group),

they can still forward traffic, even on a "passive" (in terms of RG0) node.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Secondary node forwards packets in active/passive?

Thanks guys.

 

I know about session sync but I was wondering about the forwarded packets on node1. We don't have any local interfaces and I can't recall having that node active. I can't rule out though that the cluster failed over at one point and we didn't notice. I am going to watch those counters.

 

Thanks!

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Secondary node forwards packets in active/passive?

I have to come back to this. I have watched the counters for a couple of days, and they are rising on the inactive/secondary node. Maybe I am interpreting those counters wrong, but I want to understand. Anyone care to check on their end how it looks for them (in a pure active/passive setup)?

 

 show security flow statistics    
node0:
--------------------------------------------------------------------------
    Current sessions: 1333
    Packets forwarded: 895999775
    Packets dropped: 21656684
    Fragment packets: 0

node1:
--------------------------------------------------------------------------
    Current sessions: 1374
    Packets forwarded: 73686697
    Packets dropped: 73586281
    Fragment packets: 0

 

What puzzels me is that the number of dropped packets is almost as high as the one for packets forwarded (node1).

 

I double checked, there shouldn't be any traffic on node1.

 

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Distinguished Expert
muttbarker
Posts: 2,351
Registered: ‎01-29-2008
0

Re: Secondary node forwards packets in active/passive?

Just checked one of my customers boxes. Two SRX240 units in a pure A/P mode - RE and all I/F's are only active on node 0. Monitored stats for two hours and did not see a single packet hit the counters.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Secondary node forwards packets in active/passive?

Thanks a lot Kevin for checking that for me. Much appreciated.

 

Very strange indeed. I just double checked and all interfaces are active on node0, yet I see input rate counters on the ge interfaces on node 1 increase. 

 

Also, could someone clarify please:

 

Forwarded packets vs. Dropped packets in the statistics: Mine show an almos equal amount of packets. So it looks as if all packets are being dropped. Why do they show up in the "forwarded packets" statistic? 

 

I will be setting up packet captures tomorrow.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Visitor
michaely@purepeak.com
Posts: 1
Registered: ‎04-02-2012
0

Re: Secondary node forwards packets in active/passive?

Hi,

 

Any luck with the issue?

Looks like we have the same with SRX210 cluster, I see traffic on the secondary node where in fact I should not see it

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: Secondary node forwards packets in active/passive?

I believe it's not actual traffic, it's just the cloned sessions from the active node. I have this on all active/passive SRXes here, regardless of Junos version.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.