This article shows an example of how to manage a SRX chassis cluster, configured using the backup-router configuration, via fxp0.
Topology
The topology, IP addresses, and configuration are as follows:
Manager PC----(network)------(fxp0)SRX3400-1
-(fxp0)SRX3400-2
Primary fxp0: 192.168.1.1/24
Secondary fxp0: 192.168.1.2/24
Gateway for fxp0: 192.168.1.254
Manager PC: 172.16.1.1/24
groups {
node0 {
system {
host-name SRX3400-1;
backup-router 192.168.1.254 destination 0.0.0.0/0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
}
node1 {
system {
host-name SRX3400-2;
backup-router 192.168.1.254 destination 0.0.0.0/0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.1.2/24;
}
}
}
}
}
}
apply-groups "$ ";
system {
services {
ftp;
ssh;
telnet;
}
}
Problem
The problem is that the Manager PC cannot manage the SRX via fxp0, but it can ping both fxp0.
The root cause is that there is a route for 172.16.1.1 via interfaces other than fxp0 on the SRXs. The backup-router destination of 0.0.0.0/0 is not recommended, and should be avoided. Ping works because the echo reply for an incoming echo request to fxp0 is sent out following the route for 172.16.1.1 via interfaces other than fxp0, but telnet fails.
The solution is to remove the route for 172.16.1.1 in the routing table and set a more specific backup-router destination in group node0/node1.
For example:
groups {
node0 {
...
backup-router 192.168.1.254 destination 172.16.1.1/32;
...
}
node1 {
...
backup-router 192.168.1.254 destination 172.16.1.1/32;
...
}
There are no changes seen in the routing table after the above configuration is applied. This is because the backup-router configuration is intended to facilitate the management access on the BACKUP node only. The access to the primary node is enabled via the routing on the primary node. Thus, when the backup router config is done, the user sees that a route is injected into the forwarding table on the secondary node. It is not possible to see the routing table on the secondary, as the routing subsystem does not run on the secondary.
SAMPLE LAB OUTPUT:
Two instances are shown below: one when the backup-router is configured with destination 0/0, and another when it is configured with a specific destination 172.16.1.1. The Routing Table (RT) on the primary node and the Forwarding Table (FT) on both primary and secondary node are shown in each of the scenarios.
1) BACK-UP ROUTER CONFIG with specific destination 0/0
1.1) Routing Table on primary node
{primary:node0}[edit]
root@SRX3400-1# run show route
inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.1.0/24 *[Direct/0] 00:00:54
> via fxp0.0
192.168.1.1/32 *[Local/0] 00:00:54
Local via fxp0.0
1.2) Forwarding Table on secondary node with destination 0/0
root@SRX3400-2# run show route forwarding-table
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default user 0 28:c0:da:a0:88:0 ucst 345 2 fxp0.0
default perm 0 rjct 36 1
0.0.0.0/32 perm 0 dscd 34 1
192.168.1.0/24 intf 0 rslv 344 1 fxp0.0
192.168.1.0/32 dest 0 192.168.1.0 recv 342 1 fxp0.0
192.168.1.2/32 intf 0 192.168.1.2 locl 343 2
192.168.1.2/32 dest 0 192.168.1.2 locl 343 2
192.168.1.254/32 dest 0 28:c0:da:a0:88:0 ucst 345 2 fxp0.0
192.168.1.255/32 dest 0 192.168.1.255 bcst 336 1 fxp0.0
224.0.0.0/4 perm 0 mdsc 35 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 31 1
255.255.255.255/32 perm 0 bcst 32 1
Routing table: __master.anon__.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 526 1
0.0.0.0/32 perm 0 dscd 524 1
224.0.0.0/4 perm 0 mdsc 525 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 521 1
255.255.255.255/32 perm 0 bcst 522 1
2) BACK-UP ROUTER CONFIG with specific destination 172.16.1.1/32
2.1) Routing Table on primary node:
{primary:node0}[edit]
root@SRX3400-1# run show route
inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.1.0/24 *[Direct/0] 00:17:51
> via fxp0.0
192.168.1.1/32 *[Local/0] 00:55:50
Local via fxp0.0
2.2) Forwarding Table on Primary
Note: The 172.16.1.1/32 route doesn’t appear here.
On Primary, the backup router route is not present here.
{primary:node0}[edit]
root@SRX3400-1# run show route forwarding-table
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 36 1
0.0.0.0/32 perm 0 dscd 34 1
192.168.1.0/24 intf 0 rslv 334 1 fxp0.0
192.168.1.0/32 dest 0 192.168.1.0 recv 331 1 fxp0.0
192.168.1.1/32 intf 0 192.168.1.1 locl 332 2
192.168.1.1/32 dest 0 192.168.1.1 locl 332 2
192.168.1.3/32 dest 0 5c:5e:ab:16:e3:81 ucst 339 1 fxp0.0
192.168.1.6/32 dest 0 0:26:88:4f:c8:8 ucst 340 1 fxp0.0
192.168.1.11/32 dest 0 0:30:48:bc:9f:45 ucst 342 1 fxp0.0
192.168.1.254/32 dest 0 28:c0:da:a0:88:0 ucst 343 1 fxp0.0
192.168.1.255/32 dest 0 192.168.1.255 bcst 329 1 fxp0.0
224.0.0.0/4 perm 0 mdsc 35 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 31 1
255.255.255.255/32 perm 0 bcst 32 1
Routing table: __master.anon__.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 526 1
0.0.0.0/32 perm 0 dscd 524 1
224.0.0.0/4 perm 0 mdsc 525 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 521 1
255.255.255.255/32 perm 0 bcst 522 1
2.3) Forwarding Table on secondary node
{secondary:node1}[edit]
root@SRX3400-2# run show route forwarding-table
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 36 1
0.0.0.0/32 perm 0 dscd 34 1
172.16.1.1/32 user 0 192.168.1.254 ucst 345 2 fxp0.0 <-- the specific route appears in FT
192.168.1.0/24 intf 0 rslv 344 1 fxp0.0
192.168.1.0/32 dest 0 192.168.1.0 recv 342 1 fxp0.0
192.168.1.2/32 intf 0 192.168.1.2 locl 343 2
192.168.1.2/32 dest 0 192.168.1.2 locl 343 2
192.168.1.254/32 dest 0 28:c0:da:a0:88:0 ucst 345 2 fxp0.0
192.168.1.255/32 dest 0 192.168.1.255 bcst 336 1 fxp0.0
224.0.0.0/4 perm 0 mdsc 35 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 31 1
255.255.255.255/32 perm 0 bcst 32 1
Routing table: __master.anon__.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 526 1
0.0.0.0/32 perm 0 dscd 524 1
224.0.0.0/4 perm 0 mdsc 525 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 521 1
255.255.255.255/32 perm 0 bcst 522 1
This route in forwarding table is the one that facilitates the secondary to be accessed via fxp0 interface.
Explanation
If a particular subnet has a route configured via backup-router and static route under routing-options, there could be problems accessing fxp0. In the example above, the issue with accessing fxp0 from the Manager PC occurs if:
- There exists a route under static route that is same as the route under backup-router.
- There exists a route under static route that is more specific than the route under backup-router.
In the above-mentioned scenarios, when the routes from primary node are synced to the secondary node's forwarding table, the route configured under static route takes precedence over the route under backup-router. If 0/0 is configured under backup-router, the chances of a better matching route under static route is higher. Hence it is advisable to avoid 0/0 under backup-router.
If you need the routes to the same destination configured using backup-router as well as the static route, split the routes when configuring under backup-router. This makes the routes configured under backup router preferred. This will ensure that fxp0 is accessible.
Example:
[edit routing-options static route]
0.0.0.0/0 next-hop 100.200.200.254;
[edit groups node0 ]
backup-router 192.168.1.254 destination [0.0.0.0/1 128.0.0.0/1];