SRX

I have a standard setup with dual uplinks to an ISP from an SRX Cluster (cluster consists for srx320's). When ever I pull the uplink from the Active SRX failover takes about 3-5 seconds and everything functions as it should be (i.e. no impact to traffic .. maybe 3 packets are dropped), but once I plug the uplink back-in then it takes about 30 seconds for things to recover and the impact is much higher - i.e. all traffic is dropped. I am still waiting for the ISP configs to evaluate the setup but I am guessing (from what I've been told) that it's an access switch simply running lacp.

Configuration is very plain:

chassis {
    cluster {
        control-link-recovery;
        reth-count 2;
        redundancy-group 0 {
            node 0 priority 254;
            node 1 priority 1;
            hold-down-interval 300;
        }
        redundancy-group 2 {
            node 0 priority 254;
            node 1 priority 1;
            preempt;
            hold-down-interval 1;
            interface-monitor {
                ge-0/0/3 weight 255;
                ge-3/0/3 weight 255;
            }
        }
    }
}

any clues?

thanks!

Interesting you should mention an access switch. Pretend you're the ISP switch:

The failover scenario:  You're seeing packets from 00:10:db:12:34:56 back and forth on port A. All of a sudden port A goes down, so you clean up everything you had associated with that port and now you start seeing traffic from the same MAC address on port B. Weird, but life is good.

The recovery scenario: You're seeing packets from 00:10:db:12:34:56 back and forth on port B. All of a sudden port A comes up, and you start seeing traffic from the same MAC address on port A. You know that MAC address is on port B! Why does it all of a sudden show up on port A? Someone must be spoofing that station! -- OR -- Hey, port A just came up and you're running an old school spanning tree protocol, so you hold down that port for 30 seconds while you listen for BPDUs to make sure there isn't a Layer 2 loop before you start allowing traffic on that port.

Or something like that. Some port security features on the ISP switch may thwart your recovery. Also, LACP or any kind of link aggregation / bundling would not be appropriate on the upstream switch when connecting to an SRX reth interface in your case because you have only one link per node. From the point of view of the upstream switch, it's just a MAC address moving from on port to another.

chassis {    cluster {        control-link-recovery;        reth-count 2;        redundancy-group 0 {            node 0 priority 254;            node 1 priority 1;            hold-down-interval 300;        }        redundancy-group 2 {            node 0 priority 254;            node 1 priority 1;            preempt;            hold-down-interval 1;            interface-monitor {                ge-0/0/3 weight 255;                ge-3/0/3 weight 255;            }        }    }}