Documente Academic
Documente Profesional
Documente Cultură
1 of 8
http://www.tunnelsup.com/configuring-ha-on-juniper-srx-through-junos
TunnelsUP.com
Articles
Tools
Library
Videos
Requirements
A maximum of 2 SRXs is allowed to be clustered at once.
Both SRX devices must have matching hardware and software. This includes having matching modules in the same
slots.
This configuration requires the two SRXs to be directly connected to each other using two ethernet links. Generally
these are simply normal ethernet ports that are on the SRX. One link is for control one link is for data.
A reboot is required whenever putting a device into cluster mode or taking it out of cluster mode.
10/26/2015 3:04 PM
2 of 8
http://www.tunnelsup.com/configuring-ha-on-juniper-srx-through-junos
Terminology:
node 0/node 1: Setting the node number distinguishes which SRX is which. Regardless of failover state, node 0 will
always remain node 0 and node 1 will always be node 1. The firewalls can take turns being primary and secondary.
fxp0: This interface is used to manage the devices.
fxp1: This interface connects the two SRXs together. This is called the control-link and sends HA control data
between the two SRXs including heartbeats and configuration synchronization. If this link goes down the secondary
SRX is disabled from the cluster. It does this to avoid having 2 default gateways. To re-enable the secondary SRX
you need to reboot the node. Each SRX model has a different port that is required to be used for fxp1. Review your
systems documentation for details around that. Here is the documentation for SRX240 indicating the FXP1 port
location.
fab0/fab1: On both SRX devices is a fab port. These ports are known as the data links. The packets that are sent
between the two SRXs on this port are called RTOs (real time objects). These objects contain session states.
cluster-id: (Not displayed in diagram) The cluster-id is simply the number assigned to your cluster configuration.
Cluster-id 0 is reserved. Any other number is valid.
reth1: Redundant Pseudo Interface. A number of reth interfaces can be configured. This is a pseudo interface
which will create a virtual mac address. It will normally contain 1 physical interface on each node which are called
children nodes. When sending traffic to the reth interface IP, the traffic will be picked up by the primary node.
RG0: (Not displayed) Redundancy Group. Within the redundancy group configuration is where weights and
thresholds are configured that will trigger a failover event.
interface names: The device used in the diagram is an SRX5800 with 2 FPC cards plugged into it. It has a
maximum of 12 FPC slots. When connected in cluster mode, the standby units interfaces will be +1 more than the
max number of FPC slots in the primary. In this case the primary interfaces will be ge-0/0/0 to ge-0/0/11, ge-1/0/0
to ge-1/0/11 and the secondary will be ge-12/0/0 to ge-12/0/11, ge-13/0/0 ge-13/0/11. If we were to plug another
SPC into slot 12 of both SRXs it would then show up as ge-11/0/0 and ge-23/0/0.
In this diagram, when the host at 10.20.20.2 needs to get out to the internet it will have a default gateway of 10.20.20.1
which is the IP of the reth1 interface. The reth1 interface will be on whatever node is acting as primary. That node will
then forward its packet out the internet interface to its destination. That stateful connection will then be transferred over
to the secondary node. In the even the primary node goes down, the secondary node will assume the IP of the reth1
interface and become primary. It will already have its stateful connection table and configuration synced from the old
primary node.
10/26/2015 3:04 PM
3 of 8
http://www.tunnelsup.com/configuring-ha-on-juniper-srx-through-junos
Configuration
Removing Interfaces and Hostname
Before configuring the HA, the SRX needs to remove the config for the host-name and the interfaces that are part of the
fab, reth, fx1 and fx0 ports.
delete interfaces ge-0/0/0
delete system host-name
The last command is run so that the individual configs for each node, set by the above commands, are applied only to that
node. (required)
Enabling HA
Once the nodes are set up in the previous step that is all that is needed for the very basic HA configuration. Now we just
need to reboot each box telling it to go into HA mode.
This is the step where the node is tied to the device. This command indicates the system the command was executed on
will be that node number in the command.
Conduct on srx1:
user@srx1> set chassis cluster cluster-id 1 node 0 reboot
Conduct on srx2:
user@srx2> set chassis cluster cluster-id 1 node 1 reboot
Once they both reboot you can check the status by issuing the command:
show chassis cluster status
Cluster ID: 1
Node
Priority
Status
Preempt
Manual failover
Redundancy group: 0,
node0
node1
Failover count: 1
1
1
primary
secondary
no
no
no
no
Another show command is show chassis cluster interfaces which will indicate the status of the interfaces in the
cluster.
10/26/2015 3:04 PM
4 of 8
http://www.tunnelsup.com/configuring-ha-on-juniper-srx-through-junos
At this point, HA is on and the two SRX systems have their data link and control link up. Next we will make rules for
determining when a failover will occur and then creating a pseudo interface to send traffic through the system.
By setting the heartbeat levels will tune the firewalls to failover at a time you specify. A heartbeat will be sent out every #
of milliseconds defined. If the firewall doesnt hear from its mate after # number of intervals a failover will occur.
Note: The last command will tell the SRX to create 2 reth interfaces, reth0 and reth1. If we specified a reth-count of 3, it
10/26/2015 3:04 PM
5 of 8
http://www.tunnelsup.com/configuring-ha-on-juniper-srx-through-junos
would then create a reth0, reth1 and a reth2 interface. We simply made 2 here because the diagram says reth1. If it said
reth0 then we could have just had a count of 1.
At this point the SRXs are configured in HA and have reth1 acting as the pseudo interface and the same IP will be
present on whatever device is primary.
At this point the two SRXs are configured for failover, and the primary is actively accepting packets for 10.20.20.1. This
completes the failover configuration.
Show Commands
See whats going on in the logs. Failover logs will show up in the JSRP (JunOS software Services Redundancy Protocol)
logs.
show log jsrp
show chassis cluster status
show chassis cluster statistics
show chassis cluster interfaces
Traceoptions:
set chassis cluster traceoptions flag cli
set chassis cluster traceoptions flag configurations
set chassis cluster traceoptions flag heartbeat
Fail the units backover after a manual failover. This is called resetting the cluster.
request chassis cluster failover reset redundancy-group 1
10/26/2015 3:04 PM
6 of 8
http://www.tunnelsup.com/configuring-ha-on-juniper-srx-through-junos
Further reading
Config generator to build HA configs from Juniper
Juniper KB on configuring clustering on an SRX
Juniper article: Understanding Failover
Juniper article: Understand Chassis Cluster Control Link Heartbeats
JSRP on Juniper Wiki
Posted by Richee Jul 1st, 2013 clustering, failover, ha, juniper, scripts
Tweet
Like
Comments
10/26/2015 3:04 PM
7 of 8
http://www.tunnelsup.com/configuring-ha-on-juniper-srx-through-junos
5 Comments
thankyou..
mohamed elbeshti
cem
actually the command "set chassis cluster cluster-id 1 node 1 reboot" you proposed to reboot
node 1 from node 0 assigns node id 1 to the current node and if it is node 0 and active, puts the
node in an unreachable state and creates a node id conflict.
sac
thanks!
Ravi Verma
Featured Tool
Subnet Calculator
This subnet calculator is the most simple and user friendly one out there. Give it a try. It might become your favorite.
Password Generator
10/26/2015 3:04 PM
8 of 8
http://www.tunnelsup.com/configuring-ha-on-juniper-srx-through-junos
Popular Links
What is a Ping?
What is a VPN?
What is a Firewall?
jQuery Checkbox Checked
Copyright 2015 - Richee - About This Site --- Links to other useful websites
10/26/2015 3:04 PM