Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Can't manage Chassis Cluster (High Availability)

0

0

Article ID: KB21113 KB Last Updated: 13 Oct 2020Version: 6.0
Summary:

How to troubleshoot management issues with the nodes built in a Chassis Cluster.

This troubleshooting flow is part of the Resolution Guide -- SRX Chassis Cluster (High Availability).
Symptoms:

To be able to manage the SRX Chassis Cluster through the management/revenue ports or by using NSM or other management devices.

Solution:

Perform the following steps:

  1. Are you trying to manage the Chassis Cluster using NSM?

  2. Which port are you using to manage the device?

    • Cluster Management port (FXP0) - Continue to Step 3
    • One of the revenue ports:

    Note: Only the primary node can be managed using the revenue port.  A revenue port is used for traffic processing.

    SRX requires separate links for the Control and Datalink (Fabric link on SRX) as separate connections are required to the control and dataplane. Any available revenue port is used for the Datalink port.

    For configuration assistance on management through a revenue port, refer to KB16647 - SRX Getting Started - Configure Management Access. Keep in mind that the article provides configuration guidelines for managing a stand-alone device; however, the configuration remains the same. Also check Step 6 for confirming that SSH/Telnet/HTTP is enabled on the revenue port used for managing the device.

  3. Which Chassis Cluster node are you having trouble managing? 

    • Primary    -  Continue to Step 6
    • Secondary   -  Jump to Step 11
    • Both Primary & Secondary  - Continue to Step 6
  4. Connect to the primary node via a console. Verify configuration of the management interface.

    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    any-service;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                reth0.0
                reth0.1;
            }
        }
    
    
    {primary:node1}[edit]
    root# show system services {
            http;
            ssh;
            telnet;
        }
    
    • Confirm that the desired system services (i.e SSH, TELNET, and/or HTTP) are enabled under host-inbound-traffic in the relevant zone:
    • Confirm that the desired system services (i.e. SSH, TELNET, and/or HTTP) are enabled in the system services hierarchy:
  5. Does ping to the management interface work?

  6. Run the command:

    root@SRX>show interfaces terse

             Is the FXP0 interface showing as Up and also providing an IP address?          
    • Yes - Continue to Step 9
    • No - Check the following three sub-steps and follow accordingly.
      1. Verify that the fxp0 is properly configured under the groups hierarchy? You can refer to the configuration example in KB17161 or check the minimal configuration as shown below:

        root@srx# show groups
        node0 {
            interfaces {
                fxp0 {
                    unit 0 {
                        family inet {
                            address 192.168.1.2/24;
                        }
                    }
                }
            }
        }
             
      2. Confirm that the cable connected to the fxp0 interface is a good one and check for error counters incrementing when you run the following command:

        root@srx> show interfaces fxp0.0 extensive

        If you find errors in this, proceed to Step 14 to open a case with your technical support representative.

      3. If the device is still unmanageable, proceed to Step 9.
  7. Is the IP address of the FXP0 interface and IP address of the management PC in the same subnet?

    • Yes - Continue to Step 10
    • No  - From the SRX, run the command:  show route <management PC IP>

      If a route does not exist to the management PC's IP, add a route for the management subnet in the inet.0 table with the next-hop as the backup router ip.  
      If the device is still unmanageable, proceed to Step 14.
  8. On the SRX, is there an ARP entry for the management PC on the SRX?

    Check using the command:  root@SRX>show arp no-resolve | match <ip>
    • Yes - It could be that there are routes to the management through both fxp0 and another other interface. There may be a case of asymmetric routing. Check if the fxp0 and any reth interface ip are in the same subnet. If there are multiple routes, open a case with your technical support representative.
    • No - Continue to Step 11.
    • Yes - Does the SRX have multiple routes to the management PC?    Check using the command:  show route <PC-ip>
    • No - Open a case with your technical support representative. Proceed to Step 14.
  9. Which method are you using to manage the secondary node?

  10. Verify configuration on the backup node.

    Verify the configuration on the backup node for the management interfaces by following Step 6. After that, check the following articles for more information on the configuration guidelines.

    Once the configuration is correct, and if you still cannot manage the node, continue to Step 13.

  11. Is the IP address of the backup FXP0 interface and the IP address of the FXP0 interface of the primary node in the same subnet?

    • Yes - Proceed to Step 14
    • No - Configure fxp0 and backup router in same subnet. Go back to Step 12 and verify configuration.
  12. If the above steps do not resolve this problem, refer to KB20795 - How-to's and troubleshooting articles for managing a Chassis Cluster for additional solutions.  Otherwise, collect the necessary logs from BOTH devices, and open a case with with your technical support representative.

Modification History:
​2020/07/15: Article reviewed for accuracy; no changes required.
​2020/10/01: Removed step 4-5 as its no longer relevant.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search