SRX Services Gateway
Reply
Contributor
pmazurkiewicz
Posts: 39
Registered: ‎11-09-2010
0
Accepted Solution

UTM in a chassis cluster

Hi,

 

I need to assure that the chassis cluster (HA) normally (i.e. when not degraded/failed) works as an active/passive (versus A/A). How can I do that?

 

Maybe if I could make RG0 to follow other RG’s in a HA cluster? I cannot preempt RG0...

 

The root cause is that on SRX branch devices, UTM is supported only for active/backup chassis cluster configuration with both RG0 and RG1 active on the same node. It is not supported for active/active chassis cluster configuration. I think that holds true for versions up to 11.2. I guess that on 11.4 UTM is supported in active/active – but still without Sophos AV (and I need Sophos AV – so I have to stick to Active/Passive HA config). The problem is – that I see no way I can configure that – even with node0 having a higher priority is seems to be a game of chance if it gets RG0 with no preemption avail for that RG… (if node1 boots first – it will get RG0)

 

Regards,

Pawel Mazurkiewicz

Super Contributor
billp
Posts: 126
Registered: ‎05-01-2008
0

Re: UTM in a chassis cluster

Easiest way is to not enable preemption on RG1+, and set interface tracking on all RGs to track the same interfaces. Since you can't set preempt on RG0, if you want to keep RG1+ on the same chassis then avoid using it on any RG. Tracking interface failures on RG0 isn't officially recommended but it works, and will keep all RGs on the same chassis when under normal operation.

Contributor
pmazurkiewicz
Posts: 39
Registered: ‎11-09-2010
0

Re: UTM in a chassis cluster

Thank you. 

BTW: my testing shows that Sophos AV simply stops scanning when in active/active, but the traffic flows ok - so it seems to be a minor issue.

 

Regards,

Pawel

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.