Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Chassis Cluster support for SRX/vSRX in FIPS mode

0

0

Article ID: KB33655 KB Last Updated: 05 Jun 2019Version: 2.0
Summary:

This article provides information about chassis cluster (HA) support for SRX Branch series and vSRX platforms in FIPS mode.

Symptoms:

Unable to setup a healthy cluster with SRX Branch platforms including vSRXs when they are in FIPS mode.

In 15.1X49 code train, you might be able to setup the clustering and reboot the nodes. Post reboot, the secondary node will enter into a 'Disabled' state due to 'CF' failure. Logs indicate that it 'cannot set internal IPSec SA'.  Attempts to configure the internal IPSec SAs will result in an inability to commit configuration due to missing configuration statements and entered statements listed as 'unsupported' for these platforms.

Example output:

root@srx> show chassis cluster status

Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring

Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  100        primary       no      no       None
node1  0          disabled      no      no       CF

Redundancy group: 0 , Failover count: 1
node0  100        primary       no      no        None
node1  0          disabled      no       no       CF

root@srx> show chassis cluster information detail no-forwarding
<snip>
Configuration Synchronization:
    Status:
        Activation status: Enabled
        Last sync operation: Auto-Sync
        Last sync result: Failed
        Last sync mgd messages:
            mgd: cannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SA
            mgd: cannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SA
            mgd: cannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SA
            mgd: cannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SA
            mgd: error: Could not obtain configuration file from the other RE

In 17.4 code train or higher, when the SRX-Branch or vSRX devices are in FIPS mode, enabling chassis clustering is prevented upon attempts to use 'set chassis cluster'.

Cause:

Currently chassis clustering is not supported on SRX Branch and vSRX platforms while in FIPS mode.
Chassis Cluster under FIPS mode is fully supported in SRX high-end platforms.

Solution:

If you are planning to use SRX Branch platform or vSRX platforms in FIPS mode, then plan to deploy them as stand-alone devices. If chassis cluster (high-availability) is needed on SRX platforms in FIPS mode, then consider deploying SRX high-end platforms.

Modification History:
2019-06-02: Related link added.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search