SRX Services Gateway
Highlighted
SRX Services Gateway

Route Based SRX VPN with Active Passive Cluster

‎06-22-2014 09:11 AM

I've been trying to configure an Active/Passive cluster on an SRX 3400 with no sucess even though I've been basing my configuration on a juniper example and kept it as simple as possible. This is a link to the example :

 

http://www.trapezenetworks.com/techpubs/en_US/junos13.1/topics/example/chassis-cluster-srx-active-pa...

 

The reason I need Active/ Passive Clustering is I'll be using Route Based VPNs on my box, when I use the command :

 

> show chassis cluster information

 

I get a message that the cluster is in active/active mode even though there is only one redundancy group other than RG 0. What else should I look out for ?

 

 

Thanks,
Hisham

Please accept my comment as a solution, if it helped in resolving your issue, to help guide other commentators and encourage others.
6 REPLIES 6
Highlighted
SRX Services Gateway

Re: Route Based SRX VPN with Active Passive Cluster

[ Edited ]
‎06-22-2014 10:58 AM
This is the exact message I'm getting when I issue the "show chassis cluster information" command : node0: -------------------------------------------------------------------------- Redundancy mode: Configured mode: active-active Operational mode: active-active
Thanks,
Hisham

Please accept my comment as a solution, if it helped in resolving your issue, to help guide other commentators and encourage others.
Highlighted
SRX Services Gateway
Solution
Accepted by topic author elkadiki
‎08-26-2015 01:27 AM

Re: Route Based SRX VPN with Active Passive Cluster

‎06-22-2014 10:13 PM

By default chassis cluster shows the active-active configuration and operational becuase that indicates data plane is ready for failover.

However mode shows active-active but they work in active-passive in single redudancy-group configuration.

Regarding you question about route-based VPN, so the route-based VPN should work there is not limitation in this for route-based vpn not to work.

 

You can also configure the active-backup as well. It has advantages as well specifically while you are using the NAT becuase the NAT pool is doubled in active-backup compare to active-active.

KB link for referance.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21263&actp=search&viewlocale=en_US&searchid...

 

 

Regards,

Deepak

Highlighted
SRX Services Gateway

Re: Route Based SRX VPN with Active Passive Cluster

‎06-22-2014 10:16 PM

Hi elkadiki,

 

You need to configure the following command to change the cluster active-passive mode:


set chassis cluster redundancy-mode active-backup
 

This requires a reboot of both nodes simultaneously .

 
show chassis cluster information

- Redundancy mode:
- Configured mode: active-backup
- Operational mode: active-backup
 
Regards,
rparthi

 

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....

Highlighted
SRX Services Gateway

Re: Route Based SRX VPN with Active Passive Cluster

[ Edited ]
‎06-24-2014 04:38 PM

Thanks and    Really appreciate your replies, and that hidden command ! Do you have any other  source for it online for further information on the command ? How stable is it in your experience ?

Thanks,
Hisham

Please accept my comment as a solution, if it helped in resolving your issue, to help guide other commentators and encourage others.
Highlighted
SRX Services Gateway

Re: Route Based SRX VPN with Active Passive Cluster

[ Edited ]
‎06-24-2014 05:10 PM

Dear 

 

The command you shared is what I'm looking for to achieve active/passive clustering; but I would like to add that IPSec VPN doesn't work with Chassis Clustering enabled in an active/active mode, as per the Junos OS 11.4 release notes :

 

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/release-notes...

 

You should check the section on Chassis Cluster :

 

Chassis Cluster

  • On all high-end SRX Series devices, IPSec VPN is not supported in active/active chassis cluster configuration (that is, when there are multiple RG1+ redundancy-groups).

 

 

Thanks,
Hisham

Please accept my comment as a solution, if it helped in resolving your issue, to help guide other commentators and encourage others.
Highlighted
SRX Services Gateway

Re: Route Based SRX VPN with Active Passive Cluster

‎06-24-2014 10:20 PM

I have checked the link and it says that when you have multiple RG1+ {lets say RG1 and RG2}. If RG1 and RG2 are active on different nodes then IPSEC will not support becuase it will be active-active cluster.

 

With only one RG1 group device will be only active-passive not active-active by any chance.

 

I know its confusing that operational mode shows active-active but with RG1 group the cluster is always active-passive.

 

Regards,

Deepak