Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Disabling control link on TVP platforms

0

0

Article ID: KB34922 KB Last Updated: 23 Sep 2019Version: 1.0
Summary:

This article provides a reference for disabling the control port in a chassis cluster on SRX TVP platforms (SRX1500, SRX4100, SRX4200, SRX4600, and all variants of vSRX).

Symptoms:

Below are two cases that suggest physical disconnection of the control link port in a chassis cluster environment.

  • Upgrading a chassis cluster where ICU/ISSU is not supported, with minimal down time

  • Need to isolate one node from the other when the SRX chassis cluster is in bad state

What if there is no technical resource on site to physically disconnect the control port?

Solution:

To disable the control link on TVP platforms, perform the following steps:

  1. Log in to the Windriver Linux shell from the Unix shell by using the following command:

Note: The error “ssh: connect to host 192.168.1.1 port 22: Can't assign requested address” may display if the Windriver Linux shell is using another table name and internal IP address. To troubleshoot this error, track the relevant information as described here and use the information to identify the right command parameters.

>start shell
  1. Disable the control port from the Windriver Linux shell on node 0.
root@% ssh -JU __juniper_private4__ 192.168.1.1 

You will be asked to provide the root password for access.

root@localhost:~# ifconfig eth1 down
{primary:node0}
root> show chassis cluster status
 
Redundancy group: 0 , Failover count: 1
node0  100      primary        no      no       None          
node1  0        lost           n/a     n/a      n/a    <<<<<<< Node 1 is lost after disabling the control port.
 
Redundancy group: 1 , Failover count: 3
node0  100      primary        no      no       None          
node1  0        lost           n/a     n/a      n/a           
  1. Even though the above command disables the control link, when node0 reboots, the control link will come up again and join the cluster because the ifconfig command is not persistent.

Note: Before isolating nodes, make sure that you disable the revenue ports on the node that you want to isolate. To disable TCP SYN, preempt for all RG1+, and delete interface-monitor and ip-monitoring, perform the following steps:

  1. Disable all physical interfaces for transit traffic on node1 (secondary node).
    set interfaces xe-12/0/0 disable
    set interfaces xe-12/3/0 disable
  2. Disable TCP SYN check and sequence check.

    set security flow tcp-session no-syn-check
    set security flow tcp-session no-sequence-check
  3. Disable preempt for all RG1+.

    delete chassis cluster redundancy-group 1 preempt
  4. Delete all interface-monitor and ip-monitoring.

    delete chassis cluster redundancy-group 1 interface-monitor
    delete chassis cluster redundancy-group 1 ip-monitoring
  5. Commit the configuration.

    commit

Error

  • If you get the following error while accessing the Windriver Linux shell:

% ssh -JU __juniper_private4__ 192.168.1.1
ssh: connect to host 192.168.1.1 port 22: Can't assign requested address
  • Issue the following command and track the table name and the internal IP address:

{primary:node0}
root>show route private
 
__juniper_private1__.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
10.0.0.1/32        *[Direct/0] 22:00:50
                    >  via lo0.16385
 
labroot> start shell
% ssh -JU __juniper_private1__ root@10.0.0.1

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search