SRX

 View Only
last person joined: 22 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Is it true cluster ? SRX-220

    Posted 03-01-2017 01:55

    Good day everybody.

     

    I have an issue with a cluster of srx220

    I've made cluster step-by-step based on https://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/NT260/SRX_HA_Deployment_Guide.pdf

     

    I have a ssh sessions on reth

    So when data plane failover in primary node

     

    request chassis cluster failover redundancy-group 1 node 0

     

    Data plane changed to second node. Ssh session (on reth 2 wich belongs redound group1) still alive and I can work with device using it

     

    If I change control plane on nodes - ssh sessions interrupts. Sure I can reconnect it but as I understand tcp sessions must stay alive at second node ( when primary fail ) without disconnect.

     

    As I see the sessions is synchronized

     

     

    Session ID: 24, Policy name: self-traffic-policy/1, State: Active, Timeout: 1364, Valid

      In: 192.168.1.100/5725 --> 192.168.1.200/22;tcp, If: reth2.0, Pkts: 1, Bytes: 40

      Out: 192.168.1.200/22 --> 192.168.1.100/5725;tcp, If: .local..0, Pkts: 1, Bytes: 40

     

    Session ID: 25, Policy name: self-traffic-policy/1, State: Active, Timeout: 1800, Valid

      In: 192.168.1.100/5727 --> 192.168.1.200/22;tcp, If: reth2.0, Pkts: 269, Bytes: 21272

      Out: 192.168.1.200/22 --> 192.168.1.100/5727;tcp, If: .local..0, Pkts: 289, Bytes: 40916

    Total sessions: 2

     

    node1:

    --------------------------------------------------------------------------

     

    Session ID: 13376, Policy name: self-traffic-policy/1, State: Backup, Timeout: 44, Valid

      In: 192.168.1.100/5725 --> 192.168.1.200/22;tcp, If: reth2.0, Pkts: 22, Bytes: 3856

      Out: 192.168.1.200/22 --> 192.168.1.100/5725;tcp, If: .local..0, Pkts: 20, Bytes: 4937

     

    Session ID: 13385, Policy name: self-traffic-policy/1, State: Backup, Timeout: 1332, Valid

      In: 192.168.1.100/5727 --> 192.168.1.200/22;tcp, If: reth2.0, Pkts: 228, Bytes: 17024

      Out: 192.168.1.200/22 --> 192.168.1.100/5727;tcp, If: .local..0, Pkts: 246, Bytes: 33177

    Total sessions: 2

     

    But if physical interface from primary node for contol plane ( Redundancy group: 0) is fail or node is down all tcp traffic is interrupted.

     

    To tell the truth I don't care about ssh. But I want create ipsec tunnels with ospf inside on this reth. Will it broken in the same way ?

    Or I do something wrong ?

     

     


    #ClusterSRXTCP


  • 2.  RE: Is it true cluster ? SRX-220
    Best Answer

     
    Posted 03-01-2017 02:05
    Hi trushchelev@vmcity.ru<TRUSHCHELEV>,

    If the control plane failsover, we do experience a flap.
    Any traffic involving ALG, routing daemons etc are restarted as the daemons running on node 0 exit and are started on node 1 when the cluster fails over from Node 0 to Node 1.

    You could experience a flap when the failover happens.
    However, in my experience, VPN flap usually is not seen due to the time for the daemon to start is small.

    HTH</TRUSHCHELEV>


  • 3.  RE: Is it true cluster ? SRX-220

     
    Posted 03-01-2017 02:05
    Hi trushchelev@vmcity.ru<TRUSHCHELEV>,

    If the control plane failsover, we do experience a flap.
    Any traffic involving ALG, routing daemons etc are restarted as the daemons running on node 0 exit and are started on node 1 when the cluster fails over from Node 0 to Node 1.

    You could experience a flap when the failover happens.
    However, in my experience, VPN flap usually is not seen due to the time for the daemon to start is small.

    HTH</TRUSHCHELEV>


  • 4.  RE: Is it true cluster ? SRX-220

    Posted 03-01-2017 04:01

    Thanks snn and joses

     

    It's a pitty that all the session will be reinitiated.

     

    In that way I can't see big different between cluster and 2 srx with aggregated links. I mean I can make 2 srx with aggreg. links and have 2 ipsec tunnel with balanced ospf. So I can use ALL control planes from each nodes. If one srx fail the time recovery - is ospf timeout.

     

    So I do not see big benefits in cluster design instead 2 srx with aggregated links.

    Sure if I have nat or mapping cluster is better, but. I don't know. Tell me somebody should I make a cluster.

    You know I've always thought cluster is a best solution. Was I wrong ?

    P/s/

    I've started testing cluster for 2 days ago and maybe there are a lot of things I dont's know yet.

     

     

    Problem solved by

    Distinguished Expert and     Recognized Expert Recognized Expert
     
    P.p.s Sorry I've push "Solved" in wrong place.
    Thank you for help


  • 5.  RE: Is it true cluster ? SRX-220

     
    Posted 03-01-2017 04:08
    Hi trushchelev@vmcity.ru<TRUSHCHELEV>,

    I would still recommend to have the cluster configured as it gives you a redundancy even though there may be a few drops.
    The services continue instead of being lost in case you only have a single box which may have gone down.</TRUSHCHELEV>


  • 6.  RE: Is it true cluster ? SRX-220

    Posted 03-01-2017 04:21

    The services continue instead of being lost in case you only have a single box which may have gone down.

     

    Yeah, it's true if I have one bos. But I mean 2 box with aggrageted links. Connected each other with OSPF

    Among the services only ipsec + ospf.



  • 7.  RE: Is it true cluster ? SRX-220

    Posted 03-01-2017 04:48
      |   view attached

    I 've attached scheme to clearly understand.

     



  • 8.  RE: Is it true cluster ? SRX-220

     
    Posted 03-01-2017 02:06

    Hello ,

     

    Your observation is correct that when RG-0 fails all the session (TCP/VPN/Dynamic routing protocol ) will be reinitiated .

    This is only in case of RG-0 failover which is the control plane . dataPlane will failover seemless .