This article provides a reference for disabling the control port in a chassis cluster on SRX TVP platforms (SRX1500, SRX4100, SRX4200, SRX4600, and all variants of vSRX).

Below are two cases that suggest physical disconnection of the control link port in a chassis cluster environment.

• Upgrading a chassis cluster where ICU/ISSU is not supported, with minimal down time

• Need to isolate one node from the other when the SRX chassis cluster is in bad state

What if there is no technical resource on site to physically disconnect the control port?

To disable the control link on TVP platforms, perform the following steps:

1. Log in to the Windriver Linux shell from the Unix shell by using the following command:

Note: The error “ssh: connect to host 192.168.1.1 port 22: Can't assign requested address” may display if the Windriver Linux shell is using another table name and internal IP address. To troubleshoot this error, track the relevant information as described here and use the information to identify the right command parameters.

>start shell

2. Disable the control port from the Windriver Linux shell on node 0.

root@% ssh -JU __juniper_private4__ 192.168.1.1 

You will be asked to provide the root password for access.

root@localhost:~# ifconfig eth1 down
{primary:node0}
root> show chassis cluster status
 
Redundancy group: 0 , Failover count: 1
node0  100      primary        no      no       None          
node1  0        lost           n/a     n/a      n/a    <<<<<<< Node 1 is lost after disabling the control port.
 
Redundancy group: 1 , Failover count: 3
node0  100      primary        no      no       None          
node1  0        lost           n/a     n/a      n/a           

3. Even though the above command disables the control link, when node0 reboots, the control link will come up again and join the cluster because the ifconfig command is not persistent.

Note: Before isolating nodes, make sure that you disable the revenue ports on the node that you want to isolate. To disable TCP SYN, preempt for all RG1+, and delete interface-monitor and ip-monitoring, perform the following steps:

1. Disable all physical interfaces for transit traffic on node1 (secondary node).

   set interfaces xe-12/0/0 disable
   set interfaces xe-12/3/0 disable

2. Disable TCP SYN check and sequence check.

   set security flow tcp-session no-syn-check
   set security flow tcp-session no-sequence-check

3. Disable preempt for all RG1+.

   delete chassis cluster redundancy-group 1 preempt

4. Delete all interface-monitor and ip-monitoring.

   delete chassis cluster redundancy-group 1 interface-monitor
   delete chassis cluster redundancy-group 1 ip-monitoring

5. Commit the configuration.

   commit

Error

• If you get the following error while accessing the Windriver Linux shell:

% ssh -JU __juniper_private4__ 192.168.1.1
ssh: connect to host 192.168.1.1 port 22: Can't assign requested address

• Issue the following command and track the table name and the internal IP address:

{primary:node0}

root>show route private
 
__juniper_private1__.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
10.0.0.1/32        *[Direct/0] 22:00:50
                    >  via lo0.16385
 
labroot> start shell
% ssh -JU __juniper_private1__ root@10.0.0.1