SRX Services Gateway
Highlighted
SRX Services Gateway

SRX550 cluster always ssh to secondary node

‎06-26-2019 11:49 PM

I am having an issue where I have a cluster of 2 x SRX550s and when I ssh to the fxp0 address i always get the secondary node.

If i disconnect the secondary node ge-0/0/0 from a switch I can ssh to the primary node.

Any suggestions where to start?

 

cluster status:

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None

Redundancy group: 1 , Failover count: 2
node0 200 secondary no no None
node1 100 primary no no None

 

config:

 

groups {
node0 {
system {
host-name XXXXXXXN1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.20.248/24;
}
}
}
}
}
node1 {
system {
host-name XXXXXXXN2;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.20.249/24;
}

10 REPLIES 10
Highlighted
SRX Services Gateway

Re: SRX550 cluster always ssh to secondary node

‎06-27-2019 12:03 AM

Interesting issue..

 

So, irrespective of you trying to reach .248 or .249, you end up reaching the secondary node?

 

Any chance you have an IP conflict between the FXP and ge-0/0/0  subnets?

If possible, share the configuration of ge-0/0/0 and your 'apply groups' statement.

Regards,
Gokul
Highlighted
SRX Services Gateway

Re: SRX550 cluster always ssh to secondary node

‎06-27-2019 12:13 AM

Hi Gokul,

No config on Ge-0/0/0 as this became fxp0 in creating the cluster, I do have another reth interface in the same subnet for routing to other devices which is down right now.

 

apply groups:

apply-groups [ node0 node1 ];

Highlighted
SRX Services Gateway

Re: SRX550 cluster always ssh to secondary node

‎06-27-2019 04:06 AM
HI,

For RG0, node0 will be the primary based on the priority and you might want to use 192.168.20.248 to access Node0. When you try to reach 192.168.20.248, is it that you end up logging into Node1? How did you confirm the same?

What is the source subnet from which you are trying to the reach the management interfaces. If it is an external subnet and using a backup router, please check out this article: https://kb.juniper.net/InfoCenter/index?page=content&id=KB31029

However, as per the above article, the access to fxp0 on primary fails which is a bit different.

Hope this helps.

Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Juniper Business Use Only
Highlighted
SRX Services Gateway

Re: SRX550 cluster always ssh to secondary node

‎06-27-2019 06:58 AM

Hi Firefly,

 

Have you configured fxp0's IP under the general 'set interfaces' hierarchy as well?

If you have fxp0 defined directly under interfaces, it'll take precedence over your node0/1 groups.

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

Highlighted
SRX Services Gateway

Re: SRX550 cluster always ssh to secondary node

‎06-27-2019 09:39 PM

Both 0.248 and 0.249 access the secondary node.

accessing from same subnet so no backup router config used.

 

when I ssh to .248 or .249 it show secondary node on the prompt, my first indication was when i got the routing subsystem id not running message

Highlighted
SRX Services Gateway

Re: SRX550 cluster always ssh to secondary node

‎06-27-2019 09:41 PM

no fxp0 config under set interfaces

Highlighted
SRX Services Gateway

Re: SRX550 cluster always ssh to secondary node

‎06-28-2019 07:27 AM

Firefly,

 

Can you capture incoming requests on node0's fxp0 and node1's fxp0 and observe if ssh requests are being received on the right node?

 

Use 'monitor traffic interface fxp0' and it's variations for matching host <ip-address>

 

I have a hunch it could be the adjoining switch.

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
 
 
Highlighted
SRX Services Gateway

Re: SRX550 cluster always ssh to secondary node

‎06-28-2019 10:10 AM

Hello,

 

Can you share following output:

 

> show route <source-address>

> show route forwarding-table destination <source-address>

> show route fxp0 ip address

 

 

 

Thanks

Mahesh

Highlighted
SRX Services Gateway
Solution
Accepted by topic author Firefly
‎07-01-2019 09:21 PM

Re: SRX550 cluster always ssh to secondary node

‎06-28-2019 10:28 AM

Hello,

 

Please try to use following apply-group statement instead of one you already pasted.

 

apply-groups "${node}";

 

See, if that makes any difference.

 

Thanks

Mahesh

Highlighted
SRX Services Gateway

Re: SRX550 cluster always ssh to secondary node

‎07-01-2019 09:21 PM

Thanks Mahesh,

that seems to have done the trick, working as expected now

 

Thnaks

 

Feedback