[j-nsp] Juniper SRX 240 Clustering
Bikash Bhattarai
bikash at dristi.com.np
Sat Nov 24 12:43:47 EST 2012
Dear all,
I have just configured two SRX 240 in clustering. One firewall is working
as primary and another is working as secondary. When primary router wan
interface fails the secondary router becomes primary. But after fail-over
network becomes unreachable even from LAN side.
I have attached the whole configuration.I have configured as per Juniper
documentation. It will be very helpful if anyone point me if I am missing
something.
Regards,
Bikash Bhattarai | Dristi Tech (P.) Ltd | +977 9851039710 |
www.dristi.com.np
Lazimpat, Kathmandu |Tel 977 1 4427949 | Fax 977 1 4410385*
*
-------------- next part --------------
version 11.2R4.3;
groups {
node0 {
system {
host-name HOST-SRX240-1;
services {
web-management {
http;
https {
interface fxp0.0;
}
}
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.127.1.1/24;
}
}
}
}
}
node1 {
system {
host-name HOST-SRX240-2;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.127.1.2/24;
}
}
}
}
}
}
apply-groups [ node0 node1 ];
system {
root-authentication {
encrypted-password "------------------"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface [ vlan.0 reth0.0 reth1.0 ];
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
control-link-recovery;
reth-count 10;
node 0;
redundancy-group 0 {
node 1 priority 99;
node 0 priority 100;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 99;
preempt;
interface-monitor {
ge-0/0/3 weight 255;
ge-5/0/3 weight 255;
ge-0/0/4 weight 255;
ge-5/0/4 weight 255;
}
}
}
}
interfaces {
ge-0/0/3 {
gigether-options {
auto-negotiation;
redundant-parent reth0;
}
}
ge-0/0/4 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/5 {
unit 0 {
family inet;
}
}
ge-0/0/6 {
unit 0 {
family inet;
}
}
ge-0/0/7 {
unit 0 {
family inet;
}
}
ge-0/0/8 {
unit 0 {
family inet;
}
}
ge-0/0/9 {
unit 0 {
family inet;
}
}
ge-0/0/10 {
unit 0 {
family inet;
}
}
ge-0/0/11 {
unit 0 {
family inet;
}
}
ge-0/0/12 {
unit 0 {
family inet;
}
}
ge-0/0/13 {
unit 0 {
family inet;
}
}
ge-0/0/14 {
unit 0 {
family inet;
}
}
ge-0/0/15 {
unit 0 {
family inet;
}
}
ge-5/0/3 {
gigether-options {
auto-negotiation;
redundant-parent reth0;
}
}
ge-5/0/4 {
gigether-options {
redundant-parent reth1;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-5/0/2;
}
}
}
reth0 {
description ****Test-Link****;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.10.90.1/29;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.90.1/24;
}
}
}
st0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.10.90.2;
route 192.168.100.0/24 next-hop st0.0;
}
}
protocols {
stp;
}
security {
ike {
proposal IKE-Proposal-Phase1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy IKE-Policy1 {
mode main;
proposals KIST-Proposal-Phase1;
pre-shared-key ascii-text "--------"; ## SECRET-DATA
}
gateway IKE-Gateway {
ike-policy IKE-Policy1;
address 10.10.90.2;
local-identity inet 10.10.90.1;
external-interface reth0;
}
}
ipsec {
proposal ipsec-Phase2-Proposal {
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy ipsec-Policy {
proposals ipsec-Phase2-Proposal;
}
vpn ipsec-VPN {
bind-interface st0.0;
ike {
gateway ike-Gateway;
proxy-identity {
local 192.168.90.0/24;
remote 192.168.100.0/24;
}
ipsec-policy ipsec-Policy;
}
establish-tunnels immediately;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone vpn {
policy Trust-To-VPN {
match {
source-address HO-LAN;
destination-address Remote-LAN;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy VPN-To-TRUST {
match {
source-address Remote-LAN;
destination-address HO-LAN;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
address-book {
address HO-LAN 192.168.90.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth1.0;
}
}
security-zone untrust {
screen untrust-screen;
}
security-zone wlink-L3 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth0.0;
}
}
security-zone vpn {
address-book {
address Remote-LAN 192.168.100.0/24;
}
interfaces {
st0.0;
}
}
}
}
More information about the juniper-nsp
mailing list