Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to failover data plane without the reth interface?

0

0

Article ID: KB22253 KB Last Updated: 01 Dec 2011Version: 1.0
Summary:
This article provides information on how to failover data plane without the reth interface.
Symptoms:
In some scenarios, it is difficult for customers to setup reth interface in SRX chassis cluster; they have to use local interfaces instead of the reth interface.
Cause:
SRX support local interfaces in chassis cluster.
Solution:
This scenario could be supported in SRX HA:

Active/Passive State (Control)

  • Chassis Clustering is working as HA mode by using JSRP

  • JSRP used in Control link for HA failover to select which node as Active with higher priority


Active/Passive mode (Data only)

  • All local ports are running with traffic including Data Link without redundancy protection

  • Use IGP Cost to set nodes in Active/Passive in data traffic

  • No traffic running in Data Link by proper design

  • Node with lower priority and its interfaces will be disabled while control or data link is broken, finally it requires manually reboot for recovery.

  • IP Address assigned for each local port.

  • Static or Dynamic route between FW and routers.

  • Need to adjust the cost for Active/Passive deployment case

For example:

routerA-----------(ae0)node0(ae1)------------RouterA1
routerB-----------(ae2)node1(ae2)------------RouterB1

ae0/ae1/ae2/ae3 are composed of node0 and node1's local interfaces. Routers and firewalls are running OSPF. Traffic path is routerA--node0--routerA1, decided by OSPF cost. routerB--node1--routerB1 is backup traffic path.


Here is the status of node0/node1 session before/after rebooting of node0:

  1. Traffic path is routerA--node0--routerA1:
    ab@SRX3600-1> show security flow session source-prefix 10.10.0.1 
    Aug 05 04:17:16
    node0:
    --------------------------------------------------------------------------
    
    Flow Sessions on FPC2 PIC0:
    
    Session ID: 40072870, Policy name: N2X_traffic_IAC/6, State: Active, Timeout: 1800, Valid
    In: 10.10.0.1/1 --> 11.10.0.1/1;61, If: ae0.0, Pkts: 6601, Bytes: 726110
    Out: 11.10.0.1/1 --> 10.87.62.97/47091;61, If: ae1.0, Pkts: 0, Bytes: 0
    Total sessions: 1
    
    Flow Sessions on FPC9 PIC0:
    Total sessions: 0
    
    node1:
    --------------------------------------------------------------------------
    
    Flow Sessions on FPC2 PIC0:
    
    Session ID: 40522063, Policy name: N2X_traffic_IAC/6, State: Backup, Timeout: 14394, Valid
    In: 10.10.0.1/1 --> 11.10.0.1/1;61, If: ae0.0, Pkts: 0, Bytes: 0
    Out: 11.10.0.1/1 --> 10.87.62.97/47091;61, If: ae1.0, Pkts: 0, Bytes: 0
    Total sessions: 1
    
    Flow Sessions on FPC9 PIC0:
    Total sessions: 0
    
    lab@SRX3600-1> show route 
    
    10.0.0.0/12 *[OSPF/150] 00:04:21, metric 0, tag 0
    > to 10.87.62.1 via ae0.0
    
    11.0.0.0/12 *[OSPF/150] 00:04:26, metric 5, tag 0
    > to 10.87.62.5 via ae1.0
    

  2. Reboot node0 before OSPF finds ae0.0 and ae1.0 are down, and re-calculate the node1 session status.

    lab@SRX3600-1> show security flow session source-prefix 10.10.0.1 
    Aug 05 04:18:26
    node1:
    --------------------------------------------------------------------------
    
    Flow Sessions on FPC2 PIC0:
    
    Session ID: 40522063, Policy name: N2X_traffic_IAC/6, State: Backup, Timeout: 14324, Valid
    In: 10.10.0.1/1 --> 11.10.0.1/1;61, If: ae0.0, Pkts: 0, Bytes: 0
    Out: 11.10.0.1/1 --> 10.87.62.97/47091;61, If: ae1.0, Pkts: 0, Bytes: 0
    Total sessions: 1
    
    Flow Sessions on FPC9 PIC0:
    Total sessions: 0
    

  3. After OSPF is done, re-calculate:

    lab@SRX3600-1> show route 
    
    10.0.0.0/12 *[OSPF/150] 00:00:03, metric 0, tag 0
    > to 10.87.62.9 via ae2.0
    11.0.0.0/12 *[OSPF/150] 00:00:03, metric 10, tag 0
    > to 10.87.62.13 via ae3.0
    

  4. At this time, node1 session changes from backup to active and the egress interface refreshes to node1 of the local interface.

    lab@SRX3600-1> show security flow session source-prefix 10.10.0.1 
    Aug 05 04:18:39
    node1:
    --------------------------------------------------------------------------
    
    Flow Sessions on FPC2 PIC0:
    
    Session ID: 40522063, Policy name: N2X_traffic_IAC/6, State: Active, Timeout: 1800, Valid
    In: 10.10.0.1/1 --> 11.10.0.1/1;61, If: ae0.0, Pkts: 9075, Bytes: 998250
    Out: 11.10.0.1/1 --> 10.87.62.97/47091;61, If: ae3.0, Pkts: 0, Bytes: 0
    Total sessions: 1
    
    Flow Sessions on FPC9 PIC0:
    Total sessions: 0
    

Traffic path failover to node1 by OSPF is successful; however the time of failover is much longer than that of the reth interface. it is decided by how long OSPF takes to find out if the interface is down and re-calculate.

Maybe some application is interrupted; caused by timeout. Track IP or another way is suggested in the firewall's upstream or downstream device, to find out if the interface is down.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search