SRX

Expand all | Collapse all

SRX300 HA pair is not up due to Config Sync

Jump to Best Answer
  • 1.  SRX300 HA pair is not up due to Config Sync

    Posted 08-01-2018 10:26

    All I want to do is enable simple HA cluster between two SRX 300. Their ge-0/0, 0/1, 0/2 are direct connected with ethernet.

     

    After enabling cluster id 1 it shows below:

     

    root@r0> show chassis cluster status

    Cluster ID: 1
    Node Priority Status Preempt Manual Monitor-failures

    Redundancy group: 0 , Failover count: 1
    node0 1 primary no no None
    node1 0 disabled no no CF

     

    Here's my config:

     

    {primary:node0}

    root@r0> show configuration
    ## Last commit: 2018-08-01 16:45:43 UTC by root
    version 15.1X49-D45;
    system {
    host-name r0;
    root-authentication {
    encrypted-password "$5$ByFRmSfA$8wCJ7PxMaB8Pt0kmA71B0fUcgFVdUKSd9Jjda0b.nw5"; ## SECRET-DATA
    }
    name-server {
    208.67.222.222;
    208.67.220.220;
    }
    services {
    ssh;
    telnet;
    xnm-clear-text;
    web-management {
    http {
    interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
    }
    https {
    system-generated-certificate;
    interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
    }
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    }
    security {
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule source-nat-rule {
    match {
    source-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone trust {
    policy trust-to-trust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone trust to-zone untrust {
    policy trust-to-untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/1.0;
    ge-0/0/2.0;
    ge-0/0/3.0;
    ge-0/0/4.0;
    ge-0/0/5.0;
    }
    }
    security-zone untrust {
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    dhcp;
    tftp;
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 192.168.0.1/24;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 192.168.1.1/24;
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family inet {
    address 192.168.2.1/24;
    }
    }
    }
    ge-0/0/3 {
    unit 0 {
    family inet {
    address 192.168.3.1/24;
    }
    }
    }
    ge-0/0/4 {
    unit 0 {
    family inet {
    address 192.168.4.1/24;
    }
    }
    }
    ge-0/0/5 {
    unit 0 {
    family inet {
    address 192.168.5.1/24;
    }
    }
    }
    ge-0/0/6 {
    unit 0;
    }
    ge-0/0/7 {
    unit 0;
    }
    }

     

    {disabled:node1}
    root@r1> show configuration
    ## Last commit: 2018-08-01 16:34:59 UTC by root
    version 15.1X49-D45;
    system {
    host-name r1;
    root-authentication {
    encrypted-password "$5$l3fymI5B$OIZFWy7mskXFZTmcs4CLFMWK1zEd8GoYTBo.EAQsin."; ## SECRET-DATA
    }
    name-server {
    208.67.222.222;
    208.67.220.220;
    }
    services {
    ssh;
    telnet;
    xnm-clear-text;
    web-management {
    http {
    interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
    }
    https {
    system-generated-certificate;
    interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
    }
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    }
    security {
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule source-nat-rule {
    match {
    source-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    }
    policies {
    from-zone trust to-zone trust {
    policy trust-to-trust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone trust to-zone untrust {
    policy trust-to-untrust {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone trust {
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge-0/0/1.0;
    ge-0/0/2.0;
    ge-0/0/3.0;
    ge-0/0/4.0;
    ge-0/0/5.0;
    }
    }
    security-zone untrust {
    interfaces {
    ge-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    dhcp;
    tftp;
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    }
    }
    interfaces {
    ge-0/0/0 {
    unit 0 {
    family inet {
    address 192.168.0.2/24;
    }
    }
    }
    ge-0/0/1 {
    unit 0 {
    family inet {
    address 192.168.1.2/24;
    }
    }
    }
    ge-0/0/2 {
    unit 0 {
    family inet {
    address 192.168.2.2/24;
    }
    }
    }
    ge-0/0/3 {
    unit 0 {
    family inet {
    address 192.168.3.1/24;
    }
    }
    }
    ge-0/0/4 {
    unit 0 {
    family inet {
    address 192.168.4.1/24;
    }
    }
    }
    ge-0/0/5 {
    unit 0 {
    family inet {
    address 192.168.5.1/24;
    }
    }
    }
    ge-0/0/6 {
    unit 0;
    }
    ge-0/0/7 {
    unit 0;
    }
    }



  • 2.  RE: SRX300 HA pair is not up due to Config Sync

    Posted 08-01-2018 11:13

    Before doing anything, I will highly recommend you to upgrade both firewalls to Junos 15.1X49-D140 as the D45 release is *very* buggy.  After doing the upgrade, please look at https://kb.juniper.net/InfoCenter/index?page=content&id=KB21312&actp=METADATA which describes what is needed to be done.

     

    From what I can see you are missing redundancy-groups and fabric link configuration to get things working.



  • 3.  RE: SRX300 HA pair is not up due to Config Sync

    Posted 08-01-2018 11:31

    Hi

    it looks like your systems are not configured for clustering yet.

    I do not see configuration for interfaces fab0 and fab1

    And I see standard (revenue) port configuration for interfaces ge-0/0/0 on both cluster memebers.

     

    Check the following link for proper configuration:

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

     

    Pay special attention to notes for SRX300.

     

    Regards

    Leon Smirnov

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 4.  RE: SRX300 HA pair is not up due to Config Sync

    Posted 08-01-2018 19:36

    Hi,

    You may need to reconfigure both nodes. Apply below mentioned config on both nodes and reboot the disabled node1 and check the cluster status. If node1 joins cluster successfully, you can proceed with remaining cluster config like node specific configuration, redundancy group, fabric link, etc ( Refer https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html)

    node0:
    +++++++
    delete system services http interface ge-0/0/1.0
    delete system services http interface ge-0/0/2.0
    delete system services https interface ge-0/0/1.0
    delete system services https interface ge-0/0/2.0
    delete security zones security-zone trust interfaces ge-0/0/1.0
    delete security zones security-zone trust interfaces ge-0/0/2.0
    delete security zones security-zone untrust interfaces ge-0/0/0.0
    delete interfaces ge-0/0/0
    delete interfaces ge-0/0/1
    delete interfaces ge-0/0/2

    node1:
    +++++++
    delete system services http interface ge-0/0/1.0
    delete system services http interface ge-0/0/2.0
    delete system services https interface ge-0/0/1.0
    delete system services https interface ge-0/0/2.0
    delete security zones security-zone trust interfaces ge-0/0/1.0
    delete security zones security-zone trust interfaces ge-0/0/2.0
    delete security zones security-zone untrust interfaces ge-0/0/0.0
    delete interfaces ge-0/0/0
    delete interfaces ge-0/0/1
    delete interfaces ge-0/0/2

    request system reboot



  • 5.  RE: SRX300 HA pair is not up due to Config Sync
    Best Answer

    Posted 08-02-2018 14:08

    Thanks you guys very much for all of suggestions. It was a test lab with default configuration. Is CF error genuine first time right after enabling cluster? Anyways, turns out wiping out entire config followed by enabling cluster worked. Juniper website guide suggests to enable cluster mode then check status, this is where it is supposed to show primary and secondary nodes but instead my secondary node is disabled. Configuring control and fab link. It wont let me commit it anything forward to this CF bit.



  • 6.  RE: SRX300 HA pair is not up due to Config Sync

    Posted 08-02-2018 14:13

    However, suggestion by Nelikka works as well. Also thanks for the suggestion to upgrade firewalls by Jonashauge. Deleting entire config leaving root-auth password worked for me in first place. I will proceed with the rest of config guide.