SRX Services Gateway
Highlighted
SRX Services Gateway

inter-vlan on active/active chassis cluster

‎05-10-2015 09:50 PM

Hi,

 

please help me, we have a srx240 active/active chassis cluster, and has inter-vlan on it. VLAN-USER vlan-ad 5 and VLAN-DMZ vlan-id 15.problem is i cant ping from host VLAN-USER even to the default gateway of the VLAN-DMZ on the reth interface. but i can ping from the firewall the default gateway of the VLAN-DMZ sourcing the default gateway of the VLAN-USER. below are the config of the reth interfaces:

root@JNPFWL001# show interfaces reth3
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 5 {
description USER1VLAN;
vlan-id 5;
family inet {
address 172.21.250.1/25;
}
}
unit 15 {
description PABX/SVR1_VLAN;
vlan-id 15;
family inet {
address 172.21.251.129/26;
}
}

======

root@JNPFWL001# show interfaces reth4
vlan-tagging;
redundant-ether-options {
redundancy-group 2;
}
unit 5 {
description USER2VLAN;
vlan-id 5;
family inet {
address 172.21.250.254/25;
}
}
unit 15 {
description PABX/SVR2_VLAN;
vlan-id 15;
family inet {
address 172.21.251.193/26;
}
}

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: inter-vlan on active/active chassis cluster

‎05-10-2015 11:13 PM

Hello kimffrey ,

 

As per the update , I see that you are able to Ping the gateway of the VLAN-DMZ sourcing the default gateway of the VLAN-USER  ( Which is the SRX ) , so I hope the policy are in place .   Check if there is any asymentric routing  , Also kindly share the output of :

 

>show security flow session source-prefix <VLAN-USER host IP>  protocol icmp

 

 

Also I guess it may also be because the ICMP session may not be synced between 2 nodes , Since its active /Active the traffic may come on diff node . So kindly try to run this command and chaeck :

 

root# set security flow sync-icmp-session

root#commit

 

Ref : https://kb.juniper.net/InfoCenter/index?page=content&id=KB23171


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: inter-vlan on active/active chassis cluster

‎05-11-2015 06:47 PM

Hi,

 

i think the problem is the link between the switch and the firewall. since its an active/active (2 reths going to the switch), on the downlink switch we aggregated the ports that links to the reth interface. we ping the ip configured on the reth interface from the switch, but we get RTO. actually i added LACP on the reth interface of the firewall to support LAG on the switch ports that links to the reth interfaces. but still no good

 

reth3 {
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
lacp {
active;
}
}
unit 5 {
description USER1VLAN;
vlan-id 5;
family inet {
address 172.21.250.1/25;
}
}
unit 15 {
description PABX/SVR1_VLAN;
vlan-id 15;
family inet {
address 172.21.251.129/26;
}
}
}
reth4 {
vlan-tagging;
redundant-ether-options {
redundancy-group 2;
lacp {
active;
}
}
unit 5 {
description USER2VLAN;
vlan-id 5;
family inet {
address 172.21.250.254/25;
}
}
unit 15 {
description PABX/SVR2_VLAN;
vlan-id 15;
family inet {
address 172.21.251.193/26;
}
}
}
}

Highlighted
SRX Services Gateway

Re: inter-vlan on active/active chassis cluster

‎05-12-2015 04:32 AM

Hello ,

 

Can you share the outputs :

 

>show chassis cluster status

> show route  <source-ip >

>show route <destination-ip>

> show security flow session  source-prifix <src-ip> destinatipn-prifix <dst-ip>

> show chassis cluster interfaces .

> show interfaces terse | match inet


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....