[j-nsp] SRX650 Failover Test Issue

Pavel Lunin plunin at senetsy.ru
Tue Mar 22 15:05:17 EDT 2011

> While testing the failover in SRX650 cluster. I have removed the control
> link between the primary and secondary. The secondary node went to
> ineligible mode. The secondry FW is still accessible through OoB
> interface. When I returned back the control link I couldn't reach the FW
> through OoB interface "ge-0/0/0". The only way to access the box is
> through console and found the secondary firewall is in disable mode.
> Then when I rebooted the whole firewall, it worked normally. Is it
> normal? And how to reach the secondary firewall remotely in case of
> control link flap? I have faced the same issue when removing the fab
> link.
Looks like a routing issue. Try to check it out with "show route a.b.c.d"
command, when you access the disabled box through the console port, where
a.b.c.d is IP address of the machine, you are trying to get remote access
form. Most probably it will show you something different from a route
pointing through fxp0. If this is the case, you need to configure a backup
router, which would make the disabled node (which does not run rpd) to route
packets to the management station through fxp0.


BTW, next time you want the public to guess the solution for your issue, try
to be a bit more informative in providing basic troubleshooting details. E.
g. instead of just saying "I couldn't reach the FW through OoB interface
"ge-0/0/0"", it would've been better to say something like "I checked the
whole path from my machine a.b.c.d/24 to the fxp0 interface of the node1,
which has address w.x.y.z/24 and… I see the packets coming to the
penultimate hop router, but the FW's fxp0 interface, which is the next and
last hop, does [not] respond to ARP requests… Than I tried to ping my
machine back from the FW with "ping a.b.c.d interface fxp0", and got the
following output… than I performed a traceroute… I checked what comes to the
fxp0 interface with "monitor traffic interface fxp0" and saw…", etc.

Otherwise, I'm afraid, this sort of gambling-style troubleshooting, in which
you ask us to help you, will not be much effective anyway. Monte-Carlo is a
good method but it's too slow in convergence.


More information about the juniper-nsp mailing list