This article provides a reference for disabling the control port in a chassis cluster on SRX TVP platforms (SRX1500, SRX4100, SRX4200, SRX4600, and all variants of vSRX).
Below are two cases that suggest physical disconnection of the control link port in a chassis cluster environment.
-
Upgrading a chassis cluster where ICU/ISSU is not supported, with minimal down time
-
Need to isolate one node from the other when the SRX chassis cluster is in bad state
What if there is no technical resource on site to physically disconnect the control port?
To disable the control link on TVP platforms, perform the following steps:
- Log in to the Windriver Linux shell from the Unix shell by using the following command:
Note: The error “ssh: connect to host 192.168.1.1 port 22: Can't assign requested address” may display if the Windriver Linux shell is using another table name and internal IP address. To troubleshoot this error, track the relevant information as described here and use the information to identify the right command parameters.
>start shell
- Disable the control port from the Windriver Linux shell on node 0.
root@% ssh -JU __juniper_private4__ 192.168.1.1
You will be asked to provide the root password for access.
root@localhost:~# ifconfig eth1 down
{primary:node0}
root> show chassis cluster status
Redundancy group: 0 , Failover count: 1
node0 100 primary no no None
node1 0 lost n/a n/a n/a <<<<<<< Node 1 is lost after disabling the control port.
Redundancy group: 1 , Failover count: 3
node0 100 primary no no None
node1 0 lost n/a n/a n/a
- Even though the above command disables the control link, when node0 reboots, the control link will come up again and join the cluster because the
ifconfig
command is not persistent.
Note: Before isolating nodes, make sure that you disable the revenue ports on the node that you want to isolate. To disable TCP SYN, preempt for all RG1+, and delete interface-monitor and ip-monitoring, perform the following steps:
- Disable all physical interfaces for transit traffic on node1 (secondary node).
set interfaces xe-12/0/0 disable
set interfaces xe-12/3/0 disable
-
Disable TCP SYN check and sequence check.
set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check
-
Disable preempt for all RG1+.
delete chassis cluster redundancy-group 1 preempt
-
Delete all interface-monitor and ip-monitoring.
delete chassis cluster redundancy-group 1 interface-monitor
delete chassis cluster redundancy-group 1 ip-monitoring
-
Commit the configuration.
commit
Error
% ssh -JU __juniper_private4__ 192.168.1.1
ssh: connect to host 192.168.1.1 port 22: Can't assign requested address
{primary:node0}
root>show route private
__juniper_private1__.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.1/32 *[Direct/0] 22:00:50
> via lo0.16385
labroot> start shell
% ssh -JU __juniper_private1__ root@10.0.0.1