SRX Services Gateway
SRX Services Gateway

Synchronize configuration to a peer SRX

‎11-13-2018 12:35 PM

Hi,

I am sorry if this is a dumb question! New to Juniper!

I have a pair of SRX1500 clustered in HA. Now I am adding a config in active FW, it looks like when I do a commit the config is not propagating to peer SRX.

 

An Example:

 

user@SRX1500> show configuration system ntp
server 10.10.x.x prefer;
server 10.10.x.x;

{primary:node0}
user@SRX1500> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2018-11-13 13:29:38 MST
Time Source:  NTP CLOCK
System booted: 2018-05-09 14:08:52 MDT (26w6d 00:20 ago)
Protocols started: 2018-05-09 14:08:53 MDT (26w6d 00:20 ago)
Last configured: 2018-11-13 13:21:05 MST (00:08:33 ago) by user
 1:29PM  up 188 days, 21 mins, 1 user, load averages: 0.04, 0.05, 0.01

node1:
--------------------------------------------------------------------------
Current time: 2018-11-13 13:25:16 MST
Time Source:  LOCAL CLOCK -------> NTP IS MISSING HERE!!
System booted: 2018-05-09 14:06:52 MDT (26w6d 00:18 ago)
Last configured: 2018-11-13 13:19:45 MST (00:05:31 ago) by user
 1:25PM  up 188 days, 18 mins, 1 user, load averages: 0.00, 0.00, 0.00

{primary:node0}
user@SRX1500>

The 2nd FW is not getting the NTP config. Do I have to do a 'commit synchronize-peers' everytime to overcome this issue?

 

5 REPLIES 5
SRX Services Gateway

Re: Synchronize configuration to a peer SRX

‎11-13-2018 02:40 PM

I expect the commit sync is working as expected. My guess is that you haven't configured "backup-router" which kicks in on the standby node in the cluster.

 

A standby node does not have any routing daemon running, so it's missing a path to eg. NTP servers and similar.

 

An example for backup router configuration can be found here: https://kb.juniper.net/InfoCenter/index?page=content&id=KB17161&actp=METADATA - and please note that defining 0.0.0.0/0 for backup router is not supported.


--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC DATACOM A/S (Denmark)
SRX Services Gateway

Re: Synchronize configuration to a peer SRX

‎11-13-2018 03:59 PM

Thanks Jonas for the reply. I have a couple of follow up questions:

 

1) How can I check the configuration of the standby node?

 

2) What will happen if I power down the active node now? Will the standby transition to active and take over all the traffic? Or will it drop all traffic since there is no routing daemon there?

SRX Services Gateway

Re: Synchronize configuration to a peer SRX

‎11-13-2018 11:58 PM

You're welcome.

 

Regarding 1). It's the same config running on both nodes but device-specific configuration should be placed in the node0 or node1 group. Example below from the KB I refered to. This makes it possible to have different IP addresses on fxp0 in a SRX chassis cluster.

 

groups {
    node0 {
        system {
            host-name SRX3400-1;
            backup-router 192.168.1.254 destination 0.0.0.0/0;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name SRX3400-2;
            backup-router 192.168.1.254 destination 0.0.0.0/0;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.2/24;
                    }
                }
            }
        }
    }
}
apply-groups "$NODE";

2) The deamon is activated in case of failover or loss of primary node.

You can validate the state of the cluster via 'show chassis cluster status'. If node1 is marked as secondary on both redundancy groups, it's ready to take over operation in case of failure on node0.

 

More about 'show chassis cluster status': https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-chassis-clus...


--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC DATACOM A/S (Denmark)
SRX Services Gateway

Re: Synchronize configuration to a peer SRX

‎11-14-2018 10:29 AM

Awesome. Thanks for the explanation! One last question. What does ''commit synchronize-peers' do?

SRX Services Gateway

Re: Synchronize configuration to a peer SRX

‎11-14-2018 11:14 AM

It's related to MC-LAG on QFX, EX and MX devices. Not relevant on SRX.

 

More info here: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/mc-lag-configuration-sync-underst...


--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC DATACOM A/S (Denmark)