Junos
Junos

HA for SRX 210

[ Edited ]
‎06-15-2015 07:34 PM

When I setup the HA, it prompted me the message "The HA management port cannot be configured" Any advice?


f{primary:node1}[edit]
fwadmin1@Device_B# commit
[edit interfaces]
'fe-0/0/6'
HA management port cannot be configured
error: configuration check-out failed

 

Here is the configuration

----------------------------------

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.06.16 10:32:43 =~=~=~=~=~=~=~=~=~=~=~=

version 10.4R6.5;
groups {
node0 {
system {
host-name Device_A;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.10.11.1/24;
}
}
}
}
}
node1 {
system {
host-name Device_B;
}
interfaces {
fxp0 {
---(more)--- unit 0 {
family inet {
address 10.10.11.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {

}
name-server {
208.67.222.222;
208.67.220.220;
}
login {
user admin1 {
uid 2002;
class super-user;
authentication {

}
}
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
---(more 24%)--- address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
---(more 33%)--- }
}
}
chassis {
cluster {
reth-count 2;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
fe-0/0/6 weight 255;
fe-0/0/2 weight 255;
fe-2/0/6 weight 255;
fe-2/0/2 weight 255;
}
}
}
}
interfaces {
---(more 41%)--- ge-0/0/0 {
unit 0;
}
fe-0/0/2 {
fastether-options {
redundant-parent reth1;
}
}
fe-0/0/6 {
fastether-options {
redundant-parent reth0;
}
}
fe-2/0/2 {
fastether-options {
redundant-parent reth1;
}
}
fe-2/0/6 {
fastether-options {
redundant-parent reth0;
}
}
---(more 50%)--- fab0 {
fabric-options {
member-interfaces {
fe-0/0/6;
fe-2/0/6;
}
}
}
fab1 {
fabric-options {
member-interfaces {
fe-2/0/6;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.10.10.200/24;
}
---(more 58%)--- }
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
protocols {
stp;
}
---(more 66%)--- security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
---(more 75%)--- }
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
---(more 83%)--- protocols {
all;
}
}
interfaces {
vlan.0;
reth1.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
reth0.0;
}
}
---(more 91%)--- }
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}

{primary:node1}[edit]

8 REPLIES 8
Junos

Re: HA for SRX 210

‎06-15-2015 09:49 PM

Hi,

 

You are using fe-0/0/6 and 2/0/6 as fab interfaces but these interfaces are the management interfaces when using the SRX-210 in a chassis clustering setup.

 

Have a look here for the interface assignment:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15356

 

Follow below KB article to setup the SRX 210 in clustering mode! ( I would suggest removing the complete clustering config from your devices and start over)

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15505

 

 

Hope this helps a bit

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Junos

Re: HA for SRX 210

‎06-16-2015 01:08 AM

I re-configured everything by following the guide from youtube. However the node 0 is showing disabled. Any idea?

 

admin1> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 0
node0 100 disabled no no
node1 1 primary no no

Redundancy group: 1 , Failover count: 0
node0 0 disabled no no
node1 0 primary no no

{disabled:node

Junos

Re: HA for SRX 210

‎06-16-2015 01:09 AM

Hello ,

 

Please check the Cluster interface status :

 

>show chassis cluster interface

> show chassis cluster statistics

> show chassis cluster information details >>> hidden


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Junos

Re: HA for SRX 210

‎06-16-2015 01:11 AM

Can you show the config to us ? Also did you reboot the node 0 device ?

 

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Junos

Re: HA for SRX 210

[ Edited ]
‎06-16-2015 02:54 AM

It was okay after i reboot the node0 firewall. Below is the status. However, the GUI was not accessible. Please refer to attached screenshot.

 

admin1@Device_A> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 0
node0 100 secondary no no
node1 1 primary no no

Redundancy group: 1 , Failover count: 0
node0 100 secondary no no
node1 1 primary no no

{secondary:node0}
admin1@Device_A> show chassis cluster statistics
Control link statistics:
Control link 0:
Heartbeat packets sent: 704
Heartbeat packets received: 700
Heartbeat packet errors: 0
Fabric link statistics:
Probes sent: 702
Probes received: 608
Probe errors: 0
Services Synchronized:
Service name RTOs sent RTOs received
Translation context 0 0
Incoming NAT 0 0
Resource manager 0 0
DS-LITE create 0 0
Session create 0 8
IPv6 session create 0 0
Session close 0 4
IPv6 session close 0 0
Session change 0 4
IPv6 session change 0 0
Gate create 0 0
Session ageout refresh requests 0 0
IPv6 session ageout refresh requests 0 0
Session ageout refresh replies 0 0
IPv6 session ageout refresh replies 0 0
IPSec VPN 0 0
Firewall user authentication 0 0
MGCP ALG 0 0
H323 ALG 0 0
SIP ALG 0 0
SCCP ALG 0 0
PPTP ALG 0 0
JSF PPTP ALG 0 0
RPC ALG 0 0
RTSP ALG 0 0
RAS ALG 0 0
MAC address learning 0 0
GPRS GTP 0 0
GPRS SCTP 0 0
GPRS FRAMEWORK 0 0
JSF RTSP ALG 0 0
JSF SUNRPC MAP 0 0
JSF MSRPC MAP 0 0
DS-LITE delete 0 0

{secondary:node0}
admin1@Device_A> show chassis cluster interfaces
Control link 0 name: fxp1
Control link status: Up

Fabric interfaces:
Name Child-interface Status
fab0 fe-0/0/5 up
fab0
fab1 fe-2/0/5 up
fab1
Fabric link status: Up

Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Down 1
reth1 Up 1

Interface Monitoring:
Interface Weight Status Redundancy-group
fe-2/0/5 255 Up 1
fe-0/0/5 255 Up 1
fe-2/0/2 255 Up 1
fe-0/0/2 255 Up 1

{secondary:node0}
admin1@Device_A>

Attachments

Junos
Solution
Accepted by topic author yellow_star
‎08-26-2015 01:27 AM

Re: HA for SRX 210

‎06-16-2015 03:11 AM

Hi,

 

You need to add the interfaces you want the webgui to be able to work on in the config

 

set system services web-management http interface reth1.0

set system services web-management https interface reth1.0

 

You also need to allow http / https traffic on the security zone the interfaces are in. So lets say your

reth1.0 interface must be in zone trust

 

 

set security zone security-zone interfaces reth1.0 host-inbound-traffic system-services http

set security zone security-zone interfaces reth1.0 host-inbound-traffic system-services https

set security zone security-zone interfaces reth1.0 host-inbound-traffic system-services ssh

 

hope this helps a bit

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Junos

Re: HA for SRX 210

‎06-16-2015 10:54 PM

I am new to SRX firewall. I have few questions about the setup.

 

1. I did the test by removing the cable for FAB interface. One of the node become disabled. I have to reboot it to make the HA  working fine again. Is it necessary to do the reboot everytime when node 0 or node 1 lost connection to each other?

 

2. To define the zone (trust/untrust) or  zone interface, can it be done from web GUI? Or it can only be done from CLI?

 

3. What is the different between control link and data link (fabric link)? I only know that they are required for chassis cluster interconnection and out-of-band management. 2 interfaces will be used for these setup.

 

Junos

Re: HA for SRX 210

‎06-16-2015 11:55 PM

Why removing a fab cable ? you can do  a switchover to the other member of the cluster. Or you can remove a cable from

one of the reth interfaces.

 

2. You can create and configure zones in the webgui. I'm not a webgui fan!!! I rather use  the cli.

 

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------