SRX Services Gateway
SRX Services Gateway

UTM in a chassis cluster

07.24.12   |  
‎07-24-2012 01:16 PM



I need to assure that the chassis cluster (HA) normally (i.e. when not degraded/failed) works as an active/passive (versus A/A). How can I do that?


Maybe if I could make RG0 to follow other RG’s in a HA cluster? I cannot preempt RG0...


The root cause is that on SRX branch devices, UTM is supported only for active/backup chassis cluster configuration with both RG0 and RG1 active on the same node. It is not supported for active/active chassis cluster configuration. I think that holds true for versions up to 11.2. I guess that on 11.4 UTM is supported in active/active – but still without Sophos AV (and I need Sophos AV – so I have to stick to Active/Passive HA config). The problem is – that I see no way I can configure that – even with node0 having a higher priority is seems to be a game of chance if it gets RG0 with no preemption avail for that RG… (if node1 boots first – it will get RG0)



Pawel Mazurkiewicz

SRX Services Gateway
Accepted by topic author pmazurkiewicz
‎08-26-2015 01:27 AM

Re: UTM in a chassis cluster

07.26.12   |  
‎07-26-2012 05:15 PM

Easiest way is to not enable preemption on RG1+, and set interface tracking on all RGs to track the same interfaces. Since you can't set preempt on RG0, if you want to keep RG1+ on the same chassis then avoid using it on any RG. Tracking interface failures on RG0 isn't officially recommended but it works, and will keep all RGs on the same chassis when under normal operation.

SRX Services Gateway

Re: UTM in a chassis cluster

08.01.12   |  
‎08-01-2012 09:07 AM

Thank you. 

BTW: my testing shows that Sophos AV simply stops scanning when in active/active, but the traffic flows ok - so it seems to be a minor issue.