SRX

Hi all,

i configured chassis in srx1500 firewalls.The management IP(fxp0) of node 0 is 172.16.10.1 and
the management IP(fxp0) of node 1 is 172.16.10.2.. my problem is as under.

1) First i want to ping both devices , but it doesn't ping.

2) Second is that i want to access these node individually from their respective ip address that i have assigned, but doesn't access remotely using ssh from those ips.

should i keeep these interfaces in trust zones and then configure it or any suggestion pls ........

HI Asif,

1). You do not need to configure the FXP interfaces in any zones.

2). You need to have system services ssh enabled on the devise.

3). You need to have backup-router configured for the secondary node pointing to the next hop connected devise.

4). You need to have the route on the primary node to the destination reachable through FXP0 interface.

Please check these things and the FXP0 interfaces should be reachable on both Ping and SSH.

Also please share the outputs of

Show configuration groups | display set

show route x.x.x.x (where x.x.x.x is the destination IP address)

regards,

Guru

Hi Asif,

The Primary node uses its own routing table to respond to to-the-box packets and Secondary node uses something called a backup router (since routing is not running on Secondary). 

On Primary node, you need static route to the subnet from where you are initiating Ping and SSH from (source).

For Secondary node, you need to have backup-router configured under [edit groups node <0/1>] system ] heirarchy. Since either node can be Secondary at different times, it is recommended to configre backup router for both nodes.

A few things to remember:

1) Both nodes fxp0 should be (best practice) in same subnet.

2) The same IP is used as next-hop on Primary and backup-router on Secondary.

Backup router config: https://kb.juniper.net/InfoCenter/index?page=content&id=KB15580&actp=search

Example: If you are managing from subnet 10.11.12.0/24 and if 172.16.10.254 is default gateway in management subent, then you will need following lines:

# set routing-options static route 10.11.12.0/24 next-hop 172.16.10.254

# set groups node0 system backup-router 172.16.10.254 destination 10.11.12.0/24

# set groups node1 system backup-router 172.16.10.254 destination 10.11.12.0/24

Thanks,

Srinath

# If this post helped resolve yoru issue, please mark this post as an "Accepted Solution". Kudos are also appreciated. #

Hello all,

I have 2x SRX300 clustered together. Interface Gi0/0/0 (in each node) is my FXP0 so I have connected it up to my switch where my default gateway sits (VLAN L3 interface 10.10.10.254/24). Currently the firewalls are not connected anywhere else - just Ge-0/0/0 and Ge1/0/0 are connected to the same switch.

Node0 - 10.10.10.1/24

Node1 - 10.10.10.2/24

From the switch I can ping or ssh to both firewalls using the IPs assinged to the FXP0 interfaces (directly connected subnet) - that works as expected

Now, what I would like to do is to be able to access both forewalls from a different subnet (subnet where my laptop is connected to 20.20.20.0/24).

I have configured the static route as follow:

set routing-options static route 20.20.20.0/24 next-hop 10.10.10.254

where 20.20.20.0/24 is the laptop subnet and 10.10.10.254 is the VLAN L3 interface on the switch firewalls are connectd to.

Now I can ping 10.10.10.1 from 20.20.20.0/24 subnet but can not ping 10.10.10.2 from 20.20.20.0/24

I undestand I need to let Node1 (Passive) to use Node0's (Active) routing table so I configured the backup-router as per your recommendations:

set groups node0 system backup-router 10.10.10.254 destination 20.20.20.0/24
set groups node1 system backup-router 10.10.10.254 destination 20.20.20.0/24

Unfortunately that hasn't changed anything and I'm still not able to ping/ssh to the passive node1.

What am I missing here?

Hi, domelsnake

I would advise to open a separate thread so we can help you with your specific issue because it seems to be different than the orignal issue reported on this post. On the new post please share the ARP table of the switch connected to the fxp0 interfaces.

Hello stwardlp,

Thank you for your answer - will open a seperate thread.

Would you be able to explain how is my issue different from the one above?

I also have a test laptop connected to the same subnet as fxp0 interfaces from which I can ping/ssh to both firewalls sucesfully.

I believe this has something to do woth the 'backup-router' configuration which isn't working as expected for me - is it because fxp0 interfaces for SRX300 are virtual not dedicated-phisical?

domelsnake,

I believe stward meant that it is easier to avoid confusions if you open a new thread due to the difference in configuration/Junos versions/IP addresses/among other details between the 2 scenarios. I guess it is just a best practice.

I dont think that the fact that fxp0 in SRX300 is not a dedicated interface will affect. It is supposed to work like this and Ive seen it working without problems in the past.

Hi Asifkhan

I have elaborated the following topology so you can better understand the concepts being discussed, hope this helps:

                                    |---------(172.16.10.5)-Admin_PC_A
                                    |
                                    |
node 0 (fxp0:172.16.10.1)---------------Switch-------(172.16.10.254)-Backup_router-(20.20.20.254)---------Admin_PC_B
				    |
node 1 (fxp0:172.16.10.2)-----------

The fxp0 interfaces are interfaces dedicated to the out-of-band management of a Junos device, in Chassis Cluster's case to the management of each node separately. If your PC has an IP address within the same subnet of the addresses configured on the fxp0 interfaces (like Admin_PC_A) then you shouldnt have problems communicating with those addresses ( Im talking about ping). Because the fxp0 interface is directly connected to the RE of the Junos device, you dont need to configure these interfaces on any security-zone. Now, for SSH access you need to enable the SSH service under [edit systerm services] hierarchy.

PLease note that Admin_PC_A is within the same subnet of the addresses configured on the fxp0 interfaces but Admin_PC_B is on a different subnet. And why is it relevant? Well the RPD daemon, which is the process in charge of the routing in Junos, only runs on the primary node when working with a Chassis Cluster hence if the PC from which you are sending traffic to the SRX is outside the subnet of the addresses configured on the fxp0 interfaces (like Admin_PC_B), the secondary node wont be able to reply to that host because it needs to find a route to that host, however its routing daemon is not operational. For fixing this problem the backup router statement can be configured, pointing to a device that resides within the same subnet of the fxp0 interfaces in order to reach other subnets. In the topolgy above the device acting as the backup-router is highlighted in red.

1. Understanding and configuring the Backup-router: https://www.juniper.net/documentation/en_US/junos/topics/concept/backup-router-understanding.html
2. Default-route shouldnt be used in backup-router statement: https://kb.juniper.net/KB15580

Being this said, please check:

• are you pinging/SSH from a PC on the same subnet of the fxp0 interfaces? or is the PC on a different subnet?
• is SSH enabled under [edit system services]?
• do you have the backup-router properly configured?
• do you see the ARP entries properly learned on the switch connected to the fxp0 interfaces?
• if pinging from a different subnet, does the PC and the devices in between has the proper routes to reach the fxp0 subnet and viceversa?