[j-nsp] SRX650 Failover Test Issue
Doug Hanks
dhanks at juniper.net
Wed Mar 23 12:11:15 EDT 2011
I recommend using a backup-router as well.
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Walaa Abdel razzak
Sent: Wednesday, March 23, 2011 1:19 AM
To: Michael Lee; EXT - plunin at senetsy.ru
Cc: juniper-nsp
Subject: Re: [j-nsp] SRX650 Failover Test Issue
Hi Michael
It already configured in a group. Also I was trying to telnet from directly connected ip.
groups {
node0 {
system {
host-name FW1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 11.11.11.2/24;
}
}
}
}
}
node1 {
system {
host-name FW2;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 11.11.11.3/24;
}
}
}
}
}
}
apply-groups "${node}";
BR,
-----Original Message-----
From: Michael Lee [mailto:fwissue at gmail.com]
Sent: Wednesday, March 23, 2011 3:45 AM
To: Pavel Lunin
Cc: Walaa Abdel razzak; juniper-nsp
Subject: Re: [j-nsp] SRX650 Failover Test Issue
Sounds like the interface did not put into group, and should use fxp0 ip instead
Regards
-mike
On Mar 22, 2011, at 12:05, Pavel Lunin <plunin at senetsy.ru> wrote:
>>
>> While testing the failover in SRX650 cluster. I have removed the
>> control link between the primary and secondary. The secondary node
>> went to ineligible mode. The secondry FW is still accessible through
>> OoB interface. When I returned back the control link I couldn't reach
>> the FW through OoB interface "ge-0/0/0". The only way to access the
>> box is through console and found the secondary firewall is in disable mode.
>> Then when I rebooted the whole firewall, it worked normally. Is it
>> normal? And how to reach the secondary firewall remotely in case of
>> control link flap? I have faced the same issue when removing the fab
>> link.
>>
>>
>>
> Looks like a routing issue. Try to check it out with "show route a.b.c.d"
> command, when you access the disabled box through the console port,
> where a.b.c.d is IP address of the machine, you are trying to get
> remote access form. Most probably it will show you something different
> from a route pointing through fxp0. If this is the case, you need to
> configure a backup router, which would make the disabled node (which
> does not run rpd) to route packets to the management station through fxp0.
>
> http://www.juniper.net/techpubs/en_US/junos10.0/information-products/t
> opic-collections/config-guide-system-basics/backup-router-configuring.
> html
>
> BTW, next time you want the public to guess the solution for your
> issue, try to be a bit more informative in providing basic troubleshooting details. E.
> g. instead of just saying "I couldn't reach the FW through OoB
> interface "ge-0/0/0"", it would've been better to say something like
> "I checked the whole path from my machine a.b.c.d/24 to the fxp0
> interface of the node1, which has address w.x.y.z/24 and… I see the
> packets coming to the penultimate hop router, but the FW's fxp0
> interface, which is the next and last hop, does [not] respond to ARP
> requests… Than I tried to ping my machine back from the FW with "ping
> a.b.c.d interface fxp0", and got the following output… than I
> performed a traceroute… I checked what comes to the
> fxp0 interface with "monitor traffic interface fxp0" and saw…", etc.
>
> Otherwise, I'm afraid, this sort of gambling-style troubleshooting, in
> which you ask us to help you, will not be much effective anyway.
> Monte-Carlo is a good method but it's too slow in convergence.
>
> --
> Pavel
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list