Knowledge Search


×
 

[SRX] Cannot manage SRX via fxp0 when destination in 'Backup Router' is 0/0

  [KB17161] Show Article Properties


Summary:

This article shows an example of how to manage a SRX chassis cluster, configured using the backup-router configuration, via fxp0.

Symptoms:

Topology

The topology, IP addresses, and configuration are as follows:

Manager PC----(network)------(fxp0)SRX3400-1
                            -(fxp0)SRX3400-2

Topology

Primary fxp0: 192.168.1.1/24
Secondary fxp0: 192.168.1.2/24
Gateway for fxp0: 192.168.1.254
Manager PC: 172.16.1.1/24


groups {
    node0 {
        system {
            host-name SRX3400-1;
            backup-router 192.168.1.254 destination 0.0.0.0/0;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.1/24;
                    }
                }
            }
        }
    }
    node1 {
        system {
            host-name SRX3400-2;
            backup-router 192.168.1.254 destination 0.0.0.0/0;
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 192.168.1.2/24;
                    }
                }
            }
        }
    }
}
apply-groups "${NODE}";
system {
    services {
        ftp;
        ssh;
        telnet;
    }
}


Problem

The problem is that the Manager PC cannot manage the SRX via fxp0, but it can ping both fxp0.

Cause:

The root cause is that there is a route for 172.16.1.1 via interfaces other than fxp0 on the SRXs. The backup-router destination of 0.0.0.0/0 is not recommended, and should be avoided. Ping works because the echo reply for an incoming echo request to fxp0 is sent out following the route for 172.16.1.1 via interfaces other than fxp0, but telnet fails.

Solution:

The solution is to remove the route for 172.16.1.1 in the routing table and set a more specific backup-router destination in group node0/node1.

For example:

groups {
    node0 {
         ...
            backup-router 192.168.1.254 destination 172.16.1.1/32;
            ...
    }
    node1 {
            ...
            backup-router 192.168.1.254 destination 172.16.1.1/32;
            ...
    }


There are no changes seen in the routing table after the above configuration is applied. This is because the backup-router configuration is intended to facilitate the management access on the BACKUP node only. The access to the primary node is enabled via the routing on the primary node. Thus, when the backup router config is done, the user sees that a route is injected into the forwarding table on the secondary node. It is not possible to see the routing table on the secondary, as the routing subsystem does not run on the secondary.

SAMPLE LAB OUTPUT :

Two instances are shown below: one when the backup-router is configured with destination 0/0, and another when it is configured with a specific destination 172.16.1.1.  The Routing Table (RT) on the primary node and the Forwarding Table (FT) on both primary and secondary node are shown in each of the scenarios.


1) BACK-UP ROUTER CONFIG with specific destination 0/0


1.1) Routing Table on primary node
{primary:node0}[edit]
root@SRX3400-1# run show route

inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24     *[Direct/0] 00:00:54
                    > via fxp0.0
192.168.1.1/32     *[Local/0] 00:00:54
                      Local via fxp0.0
                                                                           

1.2) Forwarding Table on secondary node with destination 0/0

root@SRX3400-2# run show route forwarding-table
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            user     0 28:c0:da:a0:88:0   ucst   345     2 fxp0.0
default            perm     0                    rjct    36     1
0.0.0.0/32         perm     0                    dscd    34     1
192.168.1.0/24     intf     0                    rslv   344     1 fxp0.0
192.168.1.0/32     dest     0 192.168.1.0        recv   342     1 fxp0.0
192.168.1.2/32     intf     0 192.168.1.2        locl   343     2
192.168.1.2/32     dest     0 192.168.1.2        locl   343     2
192.168.1.254/32   dest     0 28:c0:da:a0:88:0   ucst   345     2 fxp0.0
192.168.1.255/32   dest     0 192.168.1.255      bcst   336     1 fxp0.0
224.0.0.0/4        perm     0                    mdsc    35     1
224.0.0.1/32       perm     0 224.0.0.1          mcst    31     1
255.255.255.255/32 perm     0                    bcst    32     1

Routing table: __master.anon__.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct   526     1
0.0.0.0/32         perm     0                    dscd   524     1
224.0.0.0/4        perm     0                    mdsc   525     1
224.0.0.1/32       perm     0 224.0.0.1          mcst   521     1
255.255.255.255/32 perm     0                    bcst   522     1



2) BACK-UP ROUTER CONFIG with specific destination 172.16.1.1/32

2.1) Routing Table on primary node:

{primary:node0}[edit]
root@SRX3400-1# run show route

inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24     *[Direct/0] 00:17:51
                    > via fxp0.0
192.168.1.1/32     *[Local/0] 00:55:50
                      Local via fxp0.0
                                                                                  

2.2) Forwarding Table on Primary     <<<<<<<<<NOTE that the 172.16.1.1/32 route doesn’t appear here.

On Primary, the backup router route is not present here.

{primary:node0}[edit]
root@SRX3400-1# run show route forwarding-table
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct    36     1
0.0.0.0/32         perm     0                    dscd    34     1
192.168.1.0/24     intf     0                    rslv   334     1 fxp0.0
192.168.1.0/32     dest     0 192.168.1.0        recv   331     1 fxp0.0
192.168.1.1/32     intf     0 192.168.1.1        locl   332     2
192.168.1.1/32     dest     0 192.168.1.1        locl   332     2                                                                                                                                                                                                      
192.168.1.3/32     dest     0 5c:5e:ab:16:e3:81  ucst   339     1 fxp0.0
192.168.1.6/32     dest     0 0:26:88:4f:c8:8    ucst   340     1 fxp0.0
192.168.1.11/32    dest     0 0:30:48:bc:9f:45   ucst   342     1 fxp0.0
192.168.1.254/32   dest     0 28:c0:da:a0:88:0   ucst   343     1 fxp0.0
192.168.1.255/32   dest     0 192.168.1.255      bcst   329     1 fxp0.0
224.0.0.0/4        perm     0                    mdsc    35     1
224.0.0.1/32       perm     0 224.0.0.1          mcst    31     1
255.255.255.255/32 perm     0                    bcst    32     1

Routing table: __master.anon__.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct   526     1
0.0.0.0/32         perm     0                    dscd   524     1
224.0.0.0/4        perm     0                    mdsc   525     1
224.0.0.1/32       perm     0 224.0.0.1          mcst   521     1
255.255.255.255/32 perm     0                    bcst   522     1

2.3) Forwarding Table on secondary node

{secondary:node1}[edit]
root@SRX3400-2# run show route forwarding-table
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct    36     1
0.0.0.0/32         perm     0                    dscd    34     1
172.16.1.1/32      user     0 192.168.1.254      ucst   345     2 fxp0.0    <<<<<<<<<<<<<<<<<<<<< the specific route appears in FT
192.168.1.0/24     intf     0                    rslv   344     1 fxp0.0
192.168.1.0/32     dest     0 192.168.1.0        recv   342     1 fxp0.0
192.168.1.2/32     intf     0 192.168.1.2        locl   343     2
192.168.1.2/32     dest     0 192.168.1.2        locl   343     2
192.168.1.254/32   dest     0 28:c0:da:a0:88:0   ucst   345     2 fxp0.0
192.168.1.255/32   dest     0 192.168.1.255      bcst   336     1 fxp0.0
224.0.0.0/4        perm     0                    mdsc    35     1
224.0.0.1/32       perm     0 224.0.0.1          mcst    31     1
255.255.255.255/32 perm     0                    bcst    32     1

Routing table: __master.anon__.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct   526     1
0.0.0.0/32         perm     0                    dscd   524     1
224.0.0.0/4        perm     0                    mdsc   525     1
224.0.0.1/32       perm     0 224.0.0.1          mcst   521     1
255.255.255.255/32 perm     0                    bcst   522     1

This route in forwarding table is the one that facilitates the secondary to be accessed via fxp0 interface.

Explanation 

If a particular subnet has a route configured via backup-router and static route under routing-options, there could be problems accessing fxp0.  In the example above, the issue with accessing fxp0 from the Manager PC occurs if :

  • There exists a route under static route that is same as the route under backup-router.
  • There exists a route under static route that is more specific than the route under backup-router.

In the above-mentioned  scenarios, when the routes from primary node are synced to the secondary node's forwarding table, the route configured under static route takes precedence over the route under backup-router.  If 0/0 is configured under backup-router, the chances of a better matching route under static route is higher. Hence it is advisable to avoid 0/0 under backup-router.

If you need the routes to the same destination configured using backup-router as well as the static route, split the routes when configuring under backup-router. This makes the routes configured under backup router preferred. This will ensure that fxp0 is accessible.

Example :

[edit routing-options static route]
0.0.0.0/0 next-hop 100.200.200.254;

[edit groups node0 ]
backup-router 192.168.1.254 destination [0.0.0.0/1 128.0.0.0/1];

Related Links: