SRX Services Gateway
Reply
Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Unable to ping secondary node on SRX3600 cluster

Hi

 

We just completed a project for a SRX HA Cluster.

However we are unable to ping the secondary node fxp0.

 

What could be some of the possible causes?

 

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Unable to ping secondary node on SRX3600 cluster

Hi

 

If we are pinging from the subnet other than fxp0 interface subnet then you cannot ping because routing daemon is not active on secondary node. In order to reach the fxp0 interface of secondary node, you have to define the backup-router configuration like below:

 

set groups node0 system backup-router <gateway IP of fxp0>
set groups node0 system backup-router destination <IP/32>

 

set groups node1 system backup-router <gateway IP of fxp0>
set groups node1 system backup-router destination <IP/32>

 

NOTE:

 

- Where <IP/32> is the IP address from where you are accessing the fxp0 of secondary node

- In <IP/32>, /32 is used because on primary node there could be the subnet already  from where you are accessing. /32 will provide the more specific route for fxp0 routing

 

HTH

 

 

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: Unable to ping secondary node on SRX3600 cluster

Thanks for the tip, kashif-rana :smileyhappy:

 

I'll test it out! :smileyhappy:

Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Juniper Employee
wandererjs
Posts: 34
Registered: ‎08-27-2009

Re: Unable to ping secondary node on SRX3600 cluster

Please note that the configuration provided above is not complete.

 

To ensure the standby node has management access when standby, you must configure two items, and really really really should configure a 3rd.

 

1) Backup router statement .  This can go inside 'groups node0' or 'groups node1', but if both management addresses are on the same subnet, it can go with the rest of the system config.

 

2) ** Unique addresses for each node **, configured with the groups config.  Without it, both nodes will have the same IP address and will fight for it, creating MAC conflicts.  I like to use the 'master-only' address as well, so I can always reach the active node with one address, but can reach an individual node if I need to.  This also gives you the option to specify syslog source-address, if you want the logs seperated by node.

 

3) You really should create static routes to match your backup-router networks with the 'retain' flag (and I always use 'no-readvertise', too).  The backup router statement is only used when the routing-engine is booting and before RPD starts for the first time.  If you manually switch a cluster over, the backup-router statement is not reprocessed, as RPD already started, and you will lose connectivity to the original node.  Same thing happens if you switch over and switch back.

 

HTH,

 

Joel

 

node0 {
    interfaces {
        fxp0 {
            unit 0 {
                family inet {
                    address 192.168.99.10/24 {
                        master-only;
                    }
                    address 192.168.99.11/24;
                }
            }
        }
    }
}
node1 {
    interfaces {
        fxp0 {
            unit 0 {
                family inet {
                    address 192.168.99.10/24 {
                        master-only;
                    }
                    address 192.168.99.12/24;
                }
            }
        }
    }
}

apply-groups [${node}]

system {
    backup-router 192.168.99.1 destination [ 10.20.30.0/24 10.200.40.0/24 ];
}
routing-options {
    static {
        route 10.20.30.0/24 {
            next-hop 192.168.99.1;
            retain;
            no-readvertise;
        }
        route 10.200.40.0/24 {
            next-hop 192.168.99.1;
            retain;
            no-readvertise;
        }
    }
}

 

 

Trusted Expert
Kashif-rana
Posts: 417
Registered: ‎01-29-2008
0

Re: Unable to ping secondary node on SRX3600 cluster

Hi

 

Offcourse I assumed that fxp interfaces of both nodes have different management IP, so I did not mention it. The backup-router statement is the key. The third step you mention is for the subnets whose routing is not through inband interfaces of firewall, which is mostly not the case.

Kashif Rana
JNCIE-SEC, JNCIE-ENT, JNCIE-SP, JNCIS(FWV,SSL),JNCIA(IDP,AC,WX),BIG IP-F5-LTM, CCNP
----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!
Juniper Employee
wandererjs
Posts: 34
Registered: ‎08-27-2009
0

Re: Unable to ping secondary node on SRX3600 cluster


Kashif-rana wrote:
...The third step you mention is for the subnets whose routing is not through inband interfaces of firewall, which is mostly not the case.


Yes, the primary use of 'retain' and 'no-readvertise' flags is for routes out the OOB management interface (fxp0).  These are the same routes as used by backup-router destination.  (backup-router destinations may be a subset, if you have a lot of these).

 

I listed them as part of the 'backup-router' checklist because they're important for the end goal: management of the secondary node of an SRX cluster (or any backup-routing engine on any JunOS platform:  EX8208, XRE, M/MX, etc).

 

If you don't have these routes, you will lose connectivity to the (new) standby node after a cluster switchover.  IMPO, if you're configuring backup router statements, unique IP addresses per node on fxp0, and omit the management routes with 'retain' flag, you're doing 95% of a complete solution and then missing the 32 yard field goal in the last 15 seconds of the game.

 

Regards,

 

Joel


Juniper Employee
Juniper Employee
DKP
Posts: 1
Registered: ‎05-23-2012
0

Re: Unable to ping secondary node on SRX3600 cluster

Hi

 

How to get the serial number of the secondary node of the an SRX1400 cluster configuration.

I'm able to find serial number of the primary node, however I'm unable to get the serial number of the seconday node since primary and seconday are both having the same login IP.

 

Any suggestion appreciated.

 

Regards,

\D

Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: Unable to ping secondary node on SRX3600 cluster

Are you using CLI or GUI?
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.