Chassis Cluster support for SRX/vSRX in FIPS mode

  [KB33655] Show Article Properties


Summary:

This article provides information about chassis cluster (HA) support for SRX Branch series and vSRX platforms in FIPS mode.

Symptoms:

Unable to setup a healthy cluster with SRX Branch platforms including vSRXs when they are in FIPS mode.

In 15.1X49 code train, you might be able to setup the clustering and reboot the nodes. Post reboot, the secondary node will enter into a 'Disabled' state due to 'CF' failure. Logs indicate that it 'cannot set internal IPSec SA'.  Attempts to configure the internal IPSec SAs will result in an inability to commit configuration due to missing configuration statements and entered statements listed as 'unsupported' for these platforms.

Example output:

root@srx> show chassis cluster status

Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring

Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  100        primary       no      no       None
node1  0          disabled      no      no       CF

Redundancy group: 0 , Failover count: 1
node0  100        primary       no      no        None
node1  0          disabled      no       no       CF

root@srx> show chassis cluster information detail no-forwarding
<snip>
Configuration Synchronization:
    Status:
        Activation status: Enabled
        Last sync operation: Auto-Sync
        Last sync result: Failed
        Last sync mgd messages:
            mgd: cannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SA
            mgd: cannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SA
            mgd: cannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SA
            mgd: cannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SAcannot set internal IPSec SA
            mgd: error: Could not obtain configuration file from the other RE

In 17.4 code train or higher, when the SRX-Branch or vSRX devices are in FIPS mode, enabling chassis clustering is prevented upon attempts to use 'set chassis cluster'.

Cause:

Currently chassis clustering is not supported on SRX Branch and vSRX platforms while in FIPS mode.
Chassis Cluster under FIPS mode is fully supported in SRX high-end platforms.

Solution:

If you are planning to use SRX Branch platform or vSRX platforms in FIPS mode, then plan to deploy them as stand-alone devices. If chassis cluster (high-availability) is needed on SRX platforms in FIPS mode, then consider deploying SRX high-end platforms.

Modification History:
2019-06-02: Related link added.
Related Links: