How to troubleshoot management issues with the nodes built in a Chassis Cluster.

To be able to manage the SRX Chassis Cluster through the management/revenue ports or by using NSM or other management devices.

Perform the following steps:

1. Are you trying to manage the Chassis Cluster using NSM?

   • Yes - Refer to KB16445 - SRX Getting Started - Using NSM to manage your SRX device
   • No   - Continue to Step 2

2. Which port are you using to manage the device?

   • Cluster Management port (FXP0) - Continue to Step 3
   • One of the revenue ports:

   Note: Only the primary node can be managed using the revenue port.  A revenue port is used for traffic processing.

   SRX requires separate links for the Control and Datalink (Fabric link on SRX) as separate connections are required to the control and dataplane. Any available revenue port is used for the Datalink port.

   For configuration assistance on management through a revenue port, refer to KB16647 - SRX Getting Started - Configure Management Access. Keep in mind that the article provides configuration guidelines for managing a stand-alone device; however, the configuration remains the same. Also check Step 6 for confirming that SSH/Telnet/HTTP is enabled on the revenue port used for managing the device.

3. Which Chassis Cluster node are you having trouble managing? 

   • Primary    -  Continue to Step 6
   • Secondary   -  Jump to Step 11
   • Both Primary & Secondary  - Continue to Step 6

4. Connect to the primary node via a console. Verify configuration of the management interface.

   zones {
       security-zone trust {
           host-inbound-traffic {
               system-services {
                   any-service;
               }
               protocols {
                   all;
               }
           }
           interfaces {
               reth0.0
               reth0.1;
           }
       }
   
   

   {primary:node1}[edit]
   root# show system services {
           http;
           ssh;
           telnet;
       }
   

   • Confirm that the desired system services (i.e SSH, TELNET, and/or HTTP) are enabled under host-inbound-traffic in the relevant zone:
   • Confirm that the desired system services (i.e. SSH, TELNET, and/or HTTP) are enabled in the system services hierarchy:

5. Does ping to the management interface work?

   • Yes - Refer to KB17161 - Cannot manage SRX via fpx0 in chassis cluster, and if that doesn't work, open a case with your  technical support representative, as explained in Step 14
   • No   - Continue to Step 8

6. Run the command:

   root@SRX>show interfaces terse

            Is the FXP0 interface showing as Up and also providing an IP address?          
   • Yes - Continue to Step 9
   • No - Check the following three sub-steps and follow accordingly.

     1. Verify that the fxp0 is properly configured under the groups hierarchy? You can refer to the configuration example in KB17161 or check the minimal configuration as shown below:

        root@srx# show groups
node0 {
    interfaces {
        fxp0 {
            unit 0 {
                family inet {
                    address 192.168.1.2/24;
                }
            }
        }
    }
}     

     2. Confirm that the cable connected to the fxp0 interface is a good one and check for error counters incrementing when you run the following command:

        root@srx> show interfaces fxp0.0 extensive

        If you find errors in this, proceed to Step 14 to open a case with your technical support representative.

     3. If the device is still unmanageable, proceed to Step 9.

7. Is the IP address of the FXP0 interface and IP address of the management PC in the same subnet?

   • Yes - Continue to Step 10
   • No  - From the SRX, run the command:  show route <management PC IP>. 
     
     If a route does not exist to the management PC's IP, add a route for the management subnet in the inet.0 table with the next-hop as the backup router ip.  
     If the device is still unmanageable, proceed to Step 14.

8. On the SRX, is there an ARP entry for the management PC on the SRX?

   Check using the command:  root@SRX>show arp no-resolve | match <ip>
   • Yes - It could be that there are routes to the management through both fxp0 and another other interface. There may be a case of asymmetric routing. Check if the fxp0 and any reth interface ip are in the same subnet. If there are multiple routes, open a case with your technical support representative.
   • No - Continue to Step 11.
   • Yes - Does the SRX have multiple routes to the management PC?    Check using the command:  show route <PC-ip>
   • No - Open a case with your technical support representative. Proceed to Step 14.

9. Which method are you using to manage the secondary node?

   • J-Web - Not Supported.  For more information, refer to KB16827 - Can you manage secondary node of a chassis cluster with J-Web.
   • SSH/Telnet ->Continue to Step 12

10. Verify configuration on the backup node.

    Verify the configuration on the backup node for the management interfaces by following Step 6. After that, check the following articles for more information on the configuration guidelines.
    KB17161 - Cannot manage SRX via fpx0 in chassis cluster
    KB15580 - 'backup-router' command configuration on Chassis Cluster  

    Once the configuration is correct, and if you still cannot manage the node, continue to Step 13.

11. Is the IP address of the backup FXP0 interface and the IP address of the FXP0 interface of the primary node in the same subnet?

    • Yes - Proceed to Step 14
    • No - Configure fxp0 and backup router in same subnet. Go back to Step 12 and verify configuration.

12. If the above steps do not resolve this problem, refer to KB20795 - How-to's and troubleshooting articles for managing a Chassis Cluster for additional solutions.  Otherwise, collect the necessary logs from BOTH devices, and open a case with with your technical support representative.