SRX

All I want to do is enable simple HA cluster between two SRX 300. Their ge-0/0, 0/1, 0/2 are direct connected with ethernet.

After enabling cluster id 1 it shows below:

root@r0> show chassis cluster status

Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures

Redundancy group: 0 , Failover count: 1
node0 1 primary no no None
node1 0 disabled no no CF

Here's my config:

{primary:node0}

root@r0> show configuration
## Last commit: 2018-08-01 16:45:43 UTC by root
version 15.1X49-D45;
system {
host-name r0;
root-authentication {
encrypted-password "$5$ByFRmSfA$8wCJ7PxMaB8Pt0kmA71B0fUcgFVdUKSd9Jjda0b.nw5"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.168.4.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
ge-0/0/6 {
unit 0;
}
ge-0/0/7 {
unit 0;
}
}

{disabled:node1}
root@r1> show configuration
## Last commit: 2018-08-01 16:34:59 UTC by root
version 15.1X49-D45;
system {
host-name r1;
root-authentication {
encrypted-password "$5$l3fymI5B$OIZFWy7mskXFZTmcs4CLFMWK1zEd8GoYTBo.EAQsin."; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ];
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
}
}
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.0.2/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.2/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.2.2/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 192.168.4.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
ge-0/0/6 {
unit 0;
}
ge-0/0/7 {
unit 0;
}
}

Before doing anything, I will highly recommend you to upgrade both firewalls to Junos 15.1X49-D140 as the D45 release is *very* buggy.  After doing the upgrade, please look at https://kb.juniper.net/InfoCenter/index?page=content&id=KB21312&actp=METADATA which describes what is needed to be done.

From what I can see you are missing redundancy-groups and fabric link configuration to get things working.

Hi

it looks like your systems are not configured for clustering yet.

I do not see configuration for interfaces fab0 and fab1

And I see standard (revenue) port configuration for interfaces ge-0/0/0 on both cluster memebers.

Check the following link for proper configuration:

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

Pay special attention to notes for SRX300.

Regards

Leon Smirnov

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Hi,

You may need to reconfigure both nodes. Apply below mentioned config on both nodes and reboot the disabled node1 and check the cluster status. If node1 joins cluster successfully, you can proceed with remaining cluster config like node specific configuration, redundancy group, fabric link, etc ( Refer https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html)

node0:
+++++++
delete system services http interface ge-0/0/1.0
delete system services http interface ge-0/0/2.0
delete system services https interface ge-0/0/1.0
delete system services https interface ge-0/0/2.0
delete security zones security-zone trust interfaces ge-0/0/1.0
delete security zones security-zone trust interfaces ge-0/0/2.0
delete security zones security-zone untrust interfaces ge-0/0/0.0
delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2

node1:
+++++++
delete system services http interface ge-0/0/1.0
delete system services http interface ge-0/0/2.0
delete system services https interface ge-0/0/1.0
delete system services https interface ge-0/0/2.0
delete security zones security-zone trust interfaces ge-0/0/1.0
delete security zones security-zone trust interfaces ge-0/0/2.0
delete security zones security-zone untrust interfaces ge-0/0/0.0
delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2

request system reboot

Thanks you guys very much for all of suggestions. It was a test lab with default configuration. Is CF error genuine first time right after enabling cluster? Anyways, turns out wiping out entire config followed by enabling cluster worked. Juniper website guide suggests to enable cluster mode then check status, this is where it is supposed to show primary and secondary nodes but instead my secondary node is disabled. Configuring control and fab link. It wont let me commit it anything forward to this CF bit.

However, suggestion by Nelikka works as well. Also thanks for the suggestion to upgrade firewalls by Jonashauge. Deleting entire config leaving root-auth password worked for me in first place. I will proceed with the rest of config guide.