SRX Services Gateway
SRX Services Gateway

FXP0 interface configuration for Juniper SRX300 cluster

‎08-21-2019 01:21 AM

Hello all,

 

I have 2x SRX300 clustered together. Interface Gi0/0/0 (in each node) is my FXP0 so I have connected it up to my switch where my default gateway sits (VLAN L3 interface 10.10.10.254/24). Currently the firewalls are not connected anywhere else - just Ge-0/0/0 and Ge1/0/0 are connected to the same switch.

 

Node0 - FXP0 - 10.10.10.1/24

Node1 - FXP0 - 10.10.10.2/24

 

From the switch I can ping or ssh to both firewalls using the IPs assinged to the FXP0 interfaces (directly connected subnet) - that works as expected. Also I have a laptop connected to the same switch/vlan with IP address of (10.10.10.10) from which I can access both firewalls too.

 

Now, what I would like to do is to be able to access both forewalls from a different subnet (subnet where my laptop is connected to 20.20.20.0/24).

 

I have configured the static route as follow:

 

set routing-options static route 20.20.20.0/24 next-hop 10.10.10.254

 

where 20.20.20.0/24 is the laptop subnet and 10.10.10.254 is the VLAN L3 interface on the switch firewalls are connectd to.

 

Now I can ping 10.10.10.1 from 20.20.20.0/24 subnet but can not ping 10.10.10.2 from 20.20.20.0/24

 

I undestand I need to let Node1 (Passive) to use Node0's (Active) routing table so I configured the backup-router:

 

set groups node0 system backup-router 10.10.10.254 destination 20.20.20.0/24
set groups node1 system backup-router 10.10.10.254 destination 20.20.20.0/24

 

Unfortunately that hasn't changed anything and I'm still not able to ping/ssh to the passive node1.

 

What am I missing here?

14 REPLIES 14
SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

‎08-21-2019 03:08 AM

Since the passive node is not active it does not have a full normal routing table.  You will need to configure the backup-router option to extend the reachability of the passive node.

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/backup-router-configurin...

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

‎08-21-2019 03:20 AM

Hi,

 

Can you share the ouput of the below command:

 

show configuration | display set | match groups

 

Regards,

Pradeep.

SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

‎08-21-2019 04:16 AM

Hi,

 

Your configuration of enabling the backup router is absolutely the right thing to do. I hope you have also applied the groups configuration.

 

set apply-groups "${node}"

 

If this is done, you should be good. If above is applied and it is still not working you can check if the packet indeed coming to the RE?

 

root@fw> monitor traffic interface fxp0 no-resolve matching icmp 
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on fxp0, capture size 96 bytes

19:12:11.972550  In IP 20.20.20.10 > 10.10.10.2: ICMP echo request, id 1, seq 133, length 40
19:12:11.972620 Out IP 10.10.10.2 > 20.20.20.10: ICMP echo reply, id 1, seq 133, length 40
19:12:12.975198  In IP 20.20.20.10 > 10.10.10.2: ICMP echo request, id 1, seq 134, length 40
19:12:12.975266 Out IP 10.10.10.2 > 20.20.20.10: ICMP echo reply, id 1, seq 134, length 40
19:12:13.983785  In IP 20.20.20.10 > 10.10.10.2: ICMP echo request, id 1, seq 135, length 40
19:12:13.983851 Out IP 10.10.10.2 > 20.20.20.10: ICMP echo reply, id 1, seq 135, length 40
19:12:14.991747  In IP 20.20.20.10 > 10.10.10.2: ICMP echo request, id 1, seq 136, length 40
19:12:14.991813 Out IP 10.10.10.2 > 20.20.20.10: ICMP echo reply, id 1, seq 136, length 40

 

Regards,

 

Vikas

SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

‎08-21-2019 05:49 AM

Please see output below:

 

root@junipersrx300-01> show configuration | display set | match groups
set groups node0 system host-name junipersrx300-01
set groups node0 system backup-router 10.10.10.254
set groups node0 system backup-router destination 20.20.20.0/24
set groups node0 system time-zone Asia/Tokyo
set groups node0 interfaces fxp0 no-traps
set groups node0 interfaces fxp0 unit 0 family inet address 10.10.10.1/24
set groups node1 system host-name junipersrx300-02
set groups node1 system backup-router 10.10.10.254
set groups node1 system backup-router destination 20.20.20.0/24
set groups node1 system time-zone Asia/Tokyo
set groups node1 interfaces fxp0 no-traps
set groups node1 interfaces fxp0 unit 0 family inet address 10.10.10.2/24
set apply-groups "${node}"

SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

[ Edited ]
‎08-21-2019 05:58 AM

Thanks Nelumbo,

 

This is intresting...

 

I have enabled the 'monitor traffic interface fxp0' but I can only see traffic coming in/out then I ping 10.10.10.1.

 

When I ping 10.10.10.2 nothig comes in or out, even when pinging from my test laptop with IP of 10.10.10.10.

 

The IP is pingable from the laptop but I can not see anything on the firewall.

 

Does that mean I made a school boy error and have my IP of 10.10.10.2 active somewhere else in the network or I can only see the traffic coming to the Active Node0 fxp interface with that command?

 

I will try to shut down the switch interface towards my Node1 to see if it's still pingable.

 

 

[EDIT]

I have double checked the MAC address and the ARP table and everything seems to be correct.

 

I have shut down the switch interface towards the fxp0 Node1 interface and it stopped replying so no IP conflict there, I have re-enabled the interface and it is no longer pingable.

 

Should I be able to see the IP address assinged to the FXP0 interface of Node1 when issue 'show interface terse' command? For some reason I can only seeactive Node0 interfaces.

 

Guys, what am I missing?

 

This is how I assigned the IPs to the interfaces:

 

#set groups node0 interfaces fxp0 unit 0 family inet address 10.10.10.1/24

#set groups node1 interfaces fxp0 unit 0 family inet address 10.10.10.2/24

SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

‎08-21-2019 09:17 AM

Hi domelsnake, where you logged in to node 1 when you tried the "monitor traffic interface fxp0" and the "show interfaces terse"? I think you have to be logged in node 1 else you are only seeing node 0 info. Try those commands and let us know.

 

Also when logged in to node 0 try: > show route forwarding-table destination [Remote_PC_IP]

 

Try also deleting backup-router configuration and re-applying it.

 

 

 

Please mark my answer as the Solution if it applies.
SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

‎08-21-2019 09:36 PM

Hello,

 

"Monitor traffic interface" monitors RE bound traffic. I believe you are running the "monitor traffic interface fxp0" from the node0, hence are you are not seeing the ping for 10.10.10.2 which will be seen on the node1 RE.

 

So please ensure you are connected to node1 RE when you are running the "monitor traffic..."

 

You can login to node1 from node0 - request routing-engine login node 1

 

Regards,

 

Vikas

SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

‎08-21-2019 09:42 PM

Hi,

 

If you do a "show interfaces terse fxp0" after logging into node1 RE as mentioned in the earlier update and you will see the difference. It will then show the fxp IP of node1.

 

Regards,

 

Vikas

SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

a month ago

Hi guys,

 

I wasn't aware I need to jump from Node0 to Node1 so see the ICMP requests/replies to FXP0 interface.

 

I have just tried that and this is what I'm getting:

 

root@junipersrx300-01> request routing-engine login node 1
node1: No route to host
node1: No route to host

 

Does that mean this is something wrong with the cluster configuration?

SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

a month ago

Is the cluster status fine?

 

> show chassis cluster status

 

Try also the following command from shell:

 

> start shell
% rlogin -T node1
Please mark my answer as the Solution if it applies.
SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

a month ago

Thank you mrojas,

 

root@junipersrx300-01> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring RE Relinquish monitoring

Cluster ID: 3
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 100 primary no no None
node1 0 lost n/a n/a n/a

Redundancy group: 1 , Failover count: 1
node0 0 primary no no IF
node1 0 lost n/a n/a n/a

 

I believe the cluster is down, not to sure why - will need to check on that.

 

I used interface Ge-0/0/2 as SYNC and I can see the interface is UP/UP, that would indicate the Node1 is power up and the L1 between both firewalls is UP too.

 

root@junipersrx300-01> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
gr-0/0/0 up up
ip-0/0/0 up up
lt-0/0/0 up up
ge-0/0/1 up down
ge-0/0/2 up up
ge-0/0/2.0 up up aenet --> fab0.0
ge-0/0/3 up down
ge-0/0/4 up down
ge-0/0/4.0 up down aenet --> reth0.0
ge-0/0/5 up down
ge-0/0/5.0 up down aenet --> reth1.0
ge-0/0/6 up down
ge-0/0/7 up down

SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

[ Edited ]
a month ago

Hi,

 

The fact that node 0 cant see node 1 migth be related to the control-link between the nodes. Please gather:

 

> show chassis cluster interfaces
> show chassis cluster statistics

 

Note that in Chassis Cluster both nodes required to be connected between each other via at least two links:  the control link and the fab link. The control-link is used for synchronizing the control-plane of both nodes and in the SRX300 series the control link will be ge-0/0/1. I can see that this interface is down, please review it.

 

Being the fact that the control-link is down might also explain that the configuration is not synchronized between both nodes and maybe the fxp0 interface on node 1 is not currently configured as we thought.

 

Please mark my answer as the Solution if it applies.
SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

a month ago

Thanks mrojas,

 

I believe this is the issue here - cable between ge0/0/1 and ge1/0/1 (fxp1) seems to be disconnected.

 

I will get this re-connected and try again.

 

So just to clarify, when clustering 2x SRX300 the interface are repurposed as follow?:

 

ge-0/0/0 - becomes fxp0 - OOB management

ge-0/0/1 - becomes fxp1 - Control Link

 

SRX Services Gateway

Re: FXP0 interface configuration for Juniper SRX300 cluster

a month ago

In addition to the fxp0 mgmt port and the control link port there is also a fabric link that connects between both nodes in the cluster. 

 

This document lays out the reserved ports like you mention ge-0/0/0 and ge-0/0/1 in your case but you also need to select and connect the fabric ports on both nodes.

 

https://www.juniper.net/documentation/en_US/junos/topics/task/operational/chassis-cluster-srx-series...

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home