SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  about the nat port on srx HA

    Posted 08-30-2011 01:41

    hi,all,

        I found the KB(KB17855) , "cluster" (HA) environment, the "nat source" with "port no-translation" works differently,the meaning for this KB,I am not very clearly,could you tell me more detail informations?

     

     

    Thank you.

     

    KB:http://kb.juniper.net/InfoCenter/index?page=content&id=KB17855&actp=search&viewlocale=en_US&searchid=1314691896284#



  • 2.  RE: about the nat port on srx HA

     
    Posted 08-30-2011 05:18

    hi Zhoukangle,

     

    the KB17855 seems to be clear (but I haven't tested it): in SRX cluster the src-pool is partitioned between two cluster

    nodes. Depending on Junos version/ Active-Active/Active-Backup configuration you may have only half of the pool

    available for source translations.

     

    As a result if the pool is too small, in some scenarios you may get address alocation failures with ~50% of  src-pool addresses not used at all. In case of non-clustered SRX whole src-pool will be used.

    jtb



  • 3.  RE: about the nat port on srx HA

    Posted 08-30-2011 20:01

    hi,jtb,

    Thank you for your response,on this KB,a description as:

     

    Example 1 - With one range of IP addresses in a pool with 3 IP addresses:

    set security nat source pool src-pool address 192.168.1.100/32 to 192.168.1.102/32
    set security nat source pool src-pool port no-translation

    => The source nat is allocated as below:
    node 0 pool : 192.168.1.102

    node 1 pool : 192.168.1.100 - 192.168.1.101

    And I have not idea that,why node 0 pool is 192.168.1.102 ,any rule for this on SRX3600?

     

    thank you.



  • 4.  RE: about the nat port on srx HA

     
    Posted 08-31-2011 05:56

    hi,

     

    the KB does not describre rules how the src-pool is partitioned. Is it really important for you ? Does it applies to

    your HA cluster (A-A, A-S, which Junos version) ?

    More or less looks like the node 0 takes upper ~half of the pool (Example 3 has little exception from the rule).

    jtb



  • 5.  RE: about the nat port on srx HA

    Posted 08-31-2011 19:57

    hi,jtb,

     

    thank you for your response,it is important to me,my HA cluster is A/S,version is 10.4I0

     

    thank you.



  • 6.  RE: about the nat port on srx HA
    Best Answer

     
    Posted 09-01-2011 02:32

    hi,

     

    KB says: 

    In Junos 10.3 and later, this is only true for Active-Active HA. In Active-Backup HA, the whole pool address space is available for a node.

     

    So, it seems the your cluster should work as standalone SRX with full src-pool available to active node. Can't you just test it ?

    jtb 



  • 7.  RE: about the nat port on srx HA

    Posted 09-01-2011 22:08

    hi,jtb,thank you for your response,I see and I will check it later.