Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IP monitoring packet is not sent out on RG+ secondary without secondary-ip-address configured



Article ID: KB34196 KB Last Updated: 08 May 2019Version: 1.0

This articles explains the scenario when secondary-ip-address is NOT configured in IP-Monitoring, IP monitoring packet is not sent out on RG+ secondary node.


According to Example: Configuring IP Monitoring on SRX Series Devices, it is typical to configure a secondary IP address in IP-monitoring such that the secondary IP address is used to send ICMP packets from the secondary node to check the reachability of the monitored IP.

Below is a configuration example with interface and secondary-ip-address configured:

user@host# set chassis cluster redundancy-group 1 ip-monitoring family inet weight 80
user@host# set chassis cluster redundancy-group 1 ip-monitoring family inet interface reth0.0 secondary-ip-address

In the case when IP monitoring  is configured without secondary-ip-address and interface:

redundancy-group 1 {
    node 0 priority 200;
    node 1 priority 100;
    ip-monitoring {
        family {
            inet {
       weight 255;  <-- No secondary-ip-address configured

A warning is shown saying, 'limited monitoring functionality' while committing configuration changed.

[edit chassis cluster redundancy-group 1 ip-monitoring family inet]
    Warning: interface option is not configured. You might get limited monitoring functionality

In the case when monitoring IP " " is not reachable from secondary node(Node1) of RG1,  IP Monitoring does not trigger a RG1 failover  and priority of Node1 remains 100.  

root@srx# run show chassis cluster status    
Redundancy group: 1 , Failover count: 1
    node0                   200         primary        no       no  
    node1                   100         secondary      no       no 

This is because IP monitoring does not work on the secondary node as no interface and secondary-ip-address is configured.  This is the "limited monitoring functionality" while committing configuration changed. Hence, to enable IP-monitoring in the secondary node, it is necessary to configure secondary-ip-address. 

When no secondary-ip-address is configured,  it is not possible to tell whatever the target IP is reachable or not.  In the example below, we have vty CLI from RG1+ secondary node. Even if monitored IP is reachable and Rx count is increasing, IP monitoring packet is not sent out.

[flowd]FPC6.PIC0(vty)# sh usp ha ip-mon status    
Monitored IPs
Index: 0
        IP: (len: 4), ver: 1, Status: reachable ---> Status remains reachable
        ICMP Tx count: 56842, Rx count: 56842, Seq Num: 336 ---> Rx continues increasing
        Gateway IP: (len: 4)
        Secondary IP: (len: 4), Changed: Yes
        Interval: 1, threshold: 5
        Routing-table: 0
        Secondary ifl idx: 0
        Secondary mac addr: 00:00:00:00:00:00/48
        Reth info count: 0
        RG State: Master
        Failure reason: 0
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search