SRX

Dear Friends,

I am facing an issue with Cisco switch- Juniper SRX650 failover
I have 2 Nos 3750 stack switch- connected to  SRX650(2 No's) Juniper devices with Failover

Let me explain the internal switch configuration
We have a stack switch setup (2 * Cisco 3750 hardware )

configuration as

interface Port-channel2
description To Firewall
no switchport
ip address 192.168.50.1 255.255.255.0

interface Port-channel4
description To Firewall
no switchport
ip address 192.168.51.1 255.255.255.0

Interface config###

interface GigabitEthernet1/0/23
description PortChannel to Juniper SRX2
no switchport
no ip address
channel-group 4 mode active
!
interface GigabitEthernet1/0/24
description PortChannel to Juniper SRX2
no switchport
no ip address
channel-group 4 mode active

interface GigabitEthernet2/0/23
description PortChannel to Juniper SRX1
no switchport
no ip address
channel-group 2 mode active
!
interface GigabitEthernet2/0/24
description PortChannel to Juniper SRX1
no switchport
no ip address
channel-group 2 mode active

# Routing #####

ip route 0.0.0.0 0.0.0.0 192.168.50.2
ip route 0.0.0.0 0.0.0.0 192.168.51.2 50

Current Physical Cabling ( While checking failover data traffic is not happening to switch in current setup)

GigabitEthernet2/0/23 & GigabitEthernet2/0/24 -> Juniper 1 (Port channel 2)
GigabitEthernet1/0/23 & GigabitEthernet1/0/24 -> Juniper 2 (Port channel 4)

Proposed physical change I am planning from switch side to Solve this issue (Please advice this will work or not.( Please advice what are the precautions we have to tak ebefore starting this activity, Ex:need to Shut down LACP in switch etc) 

GigabitEthernet1/0/23 & GigabitEthernet2/0/24 -> Juniper 1 (Port channel 4 & Port channel 2)
GigabitEthernet2/0/23 & GigabitEthernet1/0/24 -> Juniper 2 (Port channel 2 & Port channel 4)

Now Channel Group 2 is active , while failover connection will switch to 4, But no traffic is initiating , I think Still the switch is forwarding traffic to channel group 2 interfaces. 

Thanks in Advance

Sarath

How are you testing failover?

Are you shutting the port channel and interfaces down completely?

When you do this, does the route change on the cisco side (i.e does it remove the first default route?)

The route wont drop from the table unless the physical interfaces are down or you are using some kind of tracking / IP SLA.

I dont understand your intended cabling changes, it looks like you are trying to take a cable from each port channel to each SRX?

We manually switch active primary Firewall to secondary,So secondary Firewall came active mode . But the traffic to switch is not happenig "Automatic"

But when I manually shutdown and enable LACP in switch Traffic is happening. I think after Failover the routing is happening to previous firewall. As you mentioned there is no change for routing. During that time I thought If we Power off primary (not manual switching) will solve the issue because that interface will go down. 

But recently we again checked the same but traffic is not forwarding from Cisco switch. Is there any change required in routing entry? or ACL/POlicy Based routing require? IF so kindly Advice.

WHy I am trying to change cabling is "to share same traffic to both firewall" . So while failover since LACP 2 & 4 are shared will solve the traffic issue. Please advice on these also.I am confused in this part. Is there any alternative solution for this? Kindly advice. ( ALL TRAFFIC IS FINE BUT WHILE FAILOVER TRAFFIC TO SWITCH FAILS IN CURRENT SCENARIO)

 IN SIMPLE TERMS : TRAFFIC IS NOT ROUTING TO FIREWALL AUTOMATICALLY AFER FIREWALL FAILOVER IN CURRENT SCENARIO. (THIS IS MY REAL ISSUE

Something doesnt seem correct here

Are the 2 SRX's in an HA configuration?

If not, then i am not sure how you switch the firewalls over, but at the moment your configurations have 

192.168.50.0/24 going to SRX A and 192.168.51.0/24 going to SRX B. 

making SRX B active somehow, doesnt bring down tthe interfaces and therefore the routing will still go to SRXA. 

The preference on a static route only means the route will become active if the primary route is removed from the table. This will only happen if an SLA tracker removes it or the interface goes down. Failing over does not bring this interface down, and therefore traffic wont use SRXB

If the SRX's are in HA configuration, you should be using reth groups and both SRX's will share the same IP address space. 

Hi,

Firewall SRX is configured with HA.

I powered Off Active Firewall Node to test failover , In that case Failover is working since I can access firewall through Pulic IP. But it is not communicating to Switch. I think ARP entry in switch still pointing to previous firewall.

[  Now LACP 2 = 2 GB active , LACP 4 - 2 GB to passive firewall.]

To over come that I planned to split LACP physical interfaces. ie LACP 2 & 4 interfaces to ACTIVE and Passive firewalls, net effect the 2 GB will be 1 GB ( but doesnt matter we are accessing only few webportals through this firewall)

 I hope after thi change 192.168.50.1& 192.168.51.0  is forwarding traffic to Primary and secondary. 

 this change  will solve issue ???

One more Query: During this change we need to shutdown LACP ? Because I unplugged and swapped the cable for testing ,But lost all LACP communication ,finally kept as old setup and  restarted switch to resume services 🙂

So planning for second time I am not sure It will work or not ... 

I am still not sure I understand the need for the 2 subnets then

Why not just use 192.168.50.0/24

your switch will have 2 LACP groups, 

group 1 goes 2 interfaces on SRX1, this is put in RETH1 

group 2 goes 2 interfaces on SRX2, this is also in RETH1  (since they are a cluster) 

When the firewall fails over, the secondary will take the Ip address of the current active firewall, for example 192.168.50.1

Hi,

@whiteac22 thank you for your suggestion.

I have only limited access to firewall , but I checked firewall config and there s no routing entry to 192.168.51.0 thanks for your findings.  So I hope in a High avalability environment firewall failover will definitely route to 192.168.50.1.

So  can I add all interface to LACP 2 (192.168.50.1) ??? t, Traffic will flow to 4 physical interfaces(2 Firewalls)  and 2 interfaces  only work at time(Active Firewall), right?

his will make any other issue ???

Thanks 

Hi, 

I dont think you are understanding RETH interfaces properly, which is why you are struggling with this. 

a Reth interface is a redundant ethernet interface. Each SRX will have 1(or more) interfaces attached to a Reth group. 

BUT, only one of the SRX's will be active at a time, so only 1 set of interfaces will work at one time. 

So SRX A has port ge-0/0/1 in Reth group 1, SRX B will have port ge-0/0/1 in Reth group 1 as well (although the port number will be different in the configuration, physically its the same port on the device). 

Traffic can only flow to either the port on SRX A or the port on SRX B, not both. 

So, if you would like to create LACP / LG interfaces towards the SRX's, you cannot create 1 group and have all the interfaces in that group, because the inactive SRX will not accept traffic. 

Therefore, on the switch you create 2 LACP / LAG groups

group 1 goes to SRX A

group 2 goes to SRX B

I think the problem here is you are using layer 3 port-channels. I cant immediately think of a way to make this work in this manner. What you would need to do is create a VLAN interface on the switch, on both LACP groups put this VLAN on, and on the RETH interface configure this as well

Thanks for your reply.

Here am attaching the Firewall configuration related to this part ;

set interfaces ge-15/0/1 enable
set interfaces ge-15/0/1 gigether-options redundant-parent reth1
set interfaces ge-15/0/2 enable
set interfaces ge-15/0/2 gigether-options redundant-parent reth1

set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options minimum-links 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow
set interfaces reth1 unit 0 family inet address 192.168.50.2/24 primary
set interfaces reth1 unit 0 family inet address 192.168.51.2/24

set security zones security-zone trust address-book address FirewallAddress 192.168.50.2/32

set routing-instances TRAFFIC routing-options static route 192.168.31.0/24 next-hop 192.168.50.1
set routing-instances TRAFFIC routing-options static route 192.168.32.0/24 next-hop 192.168.50.1
set routing-instances TRAFFIC routing-options static route 192.168.11.0/24 next-hop 192.168.50.1
set routing-instances TRAFFIC routing-options static route 192.168.22.0/24 next-hop 192.168.50.1
set routing-instances TRAFFIC routing-options static route 192.168.70.0/24 next-hop 192.168.50.1
set routing-instances TRAFFIC routing-options static route 192.168.24.0/24 next-hop 192.168.50.1
set routing-instances TRAFFIC routing-options static route 192.168.21.0/24 next-hop 192.168.50.1

My doubt is LACP 2 with IP 192.168.50.0  is active , While switching to Node 1 Firewall the subnet is 192.168.51.0, I didnt see any entry like that and addressbook entry. Please refer.

Friends, Any comment on above Configuration?

That configuration looks like you are putting two interfaces from the primary firewall into a redundant ethernet group. 

what about the interfaces for the second?

so Reth1 needs to have an interface on both Node 0 and Node 1. (in your case 2 interfaces)

I still dont know why you have the second Ip range at all.

Dear Friend,

 I am little bit slow in Juniper config so am here for a solution ... 🙂

As per my view while failover testing happening POR CHANNEL 2 change to PORT CHANNEL 4 in switch side, but still traffic if sending to old interface because switch side interface is still UP, and due to  ARP traffic is forwarding.

1. AS YOU TOLD - IF I ADD ALL SWITCH PORT TO LACP 2 this issue will be solved ??? ( Because after this  there is only one LACP/ONE SUBNET,  backup line also in same VLAN)

2.Firewall side configuration doesnt have any entry for LACP 4 (192.168.51.1) ???( Better I will change switch side config  as stated in statement 1.)

Awaiting your valuable advice 

Thanks