This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

Expand all | Collapse all

SRX Cluster Active/Active Control Plane

  • 1.  SRX Cluster Active/Active Control Plane

    Posted 04-21-2021 07:31

    Is it possible to configure an Active/Active control plane across an SRX chassis cluster?

    I have two nodes in a HA cluster node 0 (primary) and node 1 (secondary) inside redundancy group 0 for the control plane. On the configuration, I have two ISP connections one of which terminates on node 0 and the other on node 1. Additionally, I have two IPsec VPN's one of which uses the node 0 ISP external interface and the other using node 1 ISP external interface, with BGP used for the routing over the tunnels. (This is all working).

    However, the scenario occurs where node 0 fails, e.g power loss, now RG0 (control plane) must failover to node 1 which works, however, all routing is lost and must re-converge on node 1.  This means BGP for both IPsec tunnels must re-converge making the redundant tunnels useless.

    Is there a way the secondary node can have an Active Control plane/ some method of being routing table aware or am I better off just having two independent firewalls?


  • 2.  RE: SRX Cluster Active/Active Control Plane

    Posted 05-05-2021 16:24
    Hello Jack,

    It depends upon whether you are terminating the ISPs on the individual interfaces or reth interfaces. 
    i.e. Is your ISP interfaces configured as "set interfaces ge-0/0/0.0 family inet addess <>" or "set interfaces reth0.0 family inet address <>".

    The individual interfaces' sessions are not maintained if that particular interface goes down. Whereas reth sessions are maintained on both nodes.

    If you are not using reth interfaces yet, you can do the following:- 

    1.  Terminate your ISPs on the switches ( if possible ).
    2. Configure reth interfaces for each one. ( Say reth1 for ISP-1 & reth2 for ISP-2 ).
    3. Put these two reths in 2 different RGs ( Say reth1 in RG-1 & reth2 in RG2 ).
    4. Make node-0 primary in RG-1 and node-1 primary in RG-2.

    With this configuration, your Node-1 will take over from where the node-0 stopped. Hence there should not be a complete outage.

    Further use 'graceful-restart' in protocols to ensure that PFE ( Forwarding Plane ) holds the routes for 5 minutes while RE is still converging  the protocols.

    Hopefully this helps!


  • 3.  RE: SRX Cluster Active/Active Control Plane

    Posted 05-06-2021 14:40
    If you do want to connect your two ISP directly to the active/passive cluster, there is an example of this configuration starting on page 19
    Use of non-reth interfaces with dual ISP

    The other standard deployment options are also covered in this guide.

    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)