SRX Services Gateway
Highlighted
SRX Services Gateway

Manually change to secondary

‎08-15-2019 08:24 AM

Hello,

 

We have two old srx240 firewalls and one of them failed with the primary partition getting corrupted and the secondary partition with old software.  We rebuilt the firewall with the same version and updated both partitions but the problem I am having is the secondary thinks it is the primary.  I have disconnected all the cables and connected only the fabric ports but the show chassis fpc pic-status show the ports online but the two firewalls never sync.  Is there a way to manully tell the back up firewall to be secondary?  Or why are they not talking to each other it has been over a week and they still have not changed?   

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: Manually change to secondary

[ Edited ]
‎08-15-2019 08:37 AM

Hi Doug,

 

Could you please let me know whether both the nodes are acting as Primary, or Secondary node is acting as Primary whilst Primary became Secondary?

 

 

  • For the second scenario, you need to perform the below command to failover the RGs back to the original node which was acting as a primary earlier.
Spoiler
request chassis cluster failover redundancy-group 0 node <node-id>
request chassis cluster failover redundancy-group 1 node <node-id>
.
.
.
request chassis cluster failover redundancy-group <n> node <node-id> 

It would be great if you could paste the output of "show chassis cluster status" and "show chassis cluster interfaces".

 

BTW, please ignore the spoiler tag. It's not allowing me to remove it Smiley Indifferent

 



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Manually change to secondary

[ Edited ]
‎08-17-2019 11:33 PM

Hello,

 

Cluster Config and RE sync happens over the control link, ge-0/0/1 for srx240. If you do not have this connected they will not see each other / sync. Fabric link needs to be configured, my guess is that configuration for fabric link is not present, hence they are not able to see eachother over the fabric link.

 

Could you please provide the below output from both firewalls?

> show version

> show chassis cluster status

> show chassis cluster interfaces

> show configuration interfaces fab0

> show configuration interfaces fab1

> show interfaces terse

 

I would do the following:

> Ensure both firewalls show the same cluster-id "show chassis cluster status" and software version is the same "show version"

> Check the fabric link configuration on both firewalls?

    > "show configuration interfaces fab0"

    > "show configuration interfaces fab1"

> Power off the secondary firewall (one meant to be secondary)

> Connect the control and fabric links. Control link would be ge-0/0/1, fabric link would be as per the above configuration

> Bootup the secondary firewall 

> Ensure pics are showing online in "show chassis fpc pic-status"

 

If this does not help, please help collect the above mentioned commands again:

> show version

> show chassis cluster status

> show chassis cluster interfaces

> show configuration interfaces fab0

> show configuration interfaces fab1

> show interfaces terse

 

I hope this helps. Regards,

 

Vikas

Highlighted
SRX Services Gateway

Re: Manually change to secondary

‎08-18-2019 07:41 AM

Hello Doug,

 

From your description, it appears that you are only connecting the fabric ports. I am assuming you are excluding the control links in this statement.

 

The control link is needed for the routing engine to detect and sync with the other node.

 

The true way to see the cluster's activity will be the output of the command "show chassis cluster information detail".

 

This will list all the problems from each nodes perspective.

 

Coming to your question , "is there a way to tell the backup node to become secondary" , the answer is Yes.

 

You can always use the command "request chassis cluster failover redundancy-group <group number> node <node number>" .

 

But it will only allow you to failover when the cluster is able to detect the peer as healthy node.

 

Thanks!

 

Feedback