Hello Jack,
It depends upon whether you are terminating the ISPs on the individual interfaces or reth interfaces.
i.e. Is your ISP interfaces configured as "set interfaces ge-0/0/0.0 family inet addess <>" or "set interfaces reth0.0 family inet address <>".
The individual interfaces' sessions are not maintained if that particular interface goes down. Whereas reth sessions are maintained on both nodes.
If you are not using reth interfaces yet, you can do the following:-
1. Terminate your ISPs on the switches ( if possible ).
2. Configure reth interfaces for each one. ( Say reth1 for ISP-1 & reth2 for ISP-2 ).
3. Put these two reths in 2 different RGs ( Say reth1 in RG-1 & reth2 in RG2 ).
4. Make node-0 primary in RG-1 and node-1 primary in RG-2.
With this configuration, your Node-1 will take over from where the node-0 stopped. Hence there should not be a complete outage.
Further use '
graceful-restart' in protocols to ensure that PFE ( Forwarding Plane ) holds the routes for 5 minutes while RE is still converging the protocols.
Hopefully this helps!
Thanks!
Original Message:
Sent: 04-21-2021 07:31
From: Jack
Subject: SRX Cluster Active/Active Control Plane
Hello,
Is it possible to configure an Active/Active control plane across an SRX chassis cluster?
I have two nodes in a HA cluster node 0 (primary) and node 1 (secondary) inside redundancy group 0 for the control plane. On the configuration, I have two ISP connections one of which terminates on node 0 and the other on node 1. Additionally, I have two IPsec VPN's one of which uses the node 0 ISP external interface and the other using node 1 ISP external interface, with BGP used for the routing over the tunnels. (This is all working).
However, the scenario occurs where node 0 fails, e.g power loss, now RG0 (control plane) must failover to node 1 which works, however, all routing is lost and must re-converge on node 1. This means BGP for both IPsec tunnels must re-converge making the redundant tunnels useless.
Is there a way the secondary node can have an Active Control plane/ some method of being routing table aware or am I better off just having two independent firewalls?
------------------------------
Jack
------------------------------