Hi,
I an new to Juniper Firewalls and i'm trying to setup two SRX210H in active/passive mode
The configuration i am using is below,
The problem is that the configuration isn't stable , sometime's I can ping reth0 and access internet but most of the time
failover is triggered when disconnecting a cable but reth interfaces aren't pingable, The junipers are contacting the juniper site for licensing updates
Can someone give me a hint in the right direction
I have used KB15505 and the Junos Security book ( oreilly ) and the juniper day one guideline to create ths config
Kind Regards
Andre Lucas
## Last changed: 2011-03-30 11:05:42 CEST
version 10.4R3.4;
groups {
node0 {
system {
host-name node0;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.61.251.252/23;
}
}
}
}
}
node1 {
system {
host-name node1;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.61.251.253/23;
}
}
}
}
}
}
apply-groups "${node}";
system {
time-zone Europe/Amsterdam;
root-authentication {
encrypted-password "$1$jtWJEaj.$5hlsDlylSuzySjXwOHi8K1";
}
name-server {
213.75.63.36;
213.75.63.70;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http;
https {
system-generated-certificate;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 194.151.228.10;
}
}
chassis {
cluster {
control-link-recovery;
reth-count 8;
node 0;
node 1;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
ge-0/0/0 weight 255;
fe-0/0/2 weight 255;
ge-2/0/0 weight 255;
fe-2/0/2 weight 255;
ge-0/0/1 weight 255;
ge-2/0/1 weight 255;
fe-0/0/3 weight 255;
fe-2/0/3 weight 255;
}
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/1 {
gigether-options {
redundant-parent reth2;
}
}
fe-0/0/2 {
fastether-options {
redundant-parent reth1;
}
}
fe-0/0/3 {
fastether-options {
redundant-parent reth3;
}
}
ge-2/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-2/0/1 {
gigether-options {
redundant-parent reth2;
}
}
fe-2/0/2 {
fastether-options {
redundant-parent reth1;
}
}
fe-2/0/3 {
fastether-options {
redundant-parent reth3;
}
}
fab0 {
fabric-options {
member-interfaces {
fe-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
fe-2/0/5;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.61.251.254/23;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address x.x.x.x/x;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.61.3.254/24;
}
}
}
reth3 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address x.x.x.x/x;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop x.x.x.x;
}
}
protocols {
stp;
}
security {
nat {
source {
rule-set internet_nat {
from zone Internal;
to zone Internet;
rule InternalToInternet_access {
match {
source-address 10.61.250.0/23;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone Internet {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
reth1.0;
}
}
security-zone Internal {
host-inbound-traffic {
system-services {
ping;
http;
dns;
}
}
interfaces {
reth0.0;
}
}
security-zone DMZ {
interfaces {
reth2.0;
}
}
security-zone Ezorg {
interfaces {
reth3.0;
}
}
}
policies {
from-zone Internal to-zone Internet {
policy Internal_to_Internet {
match {
source-address any;
destination-address any;
application ToInternet;
}
then {
permit;
}
}
}
}
}
applications {
application-set ToInternet {
application junos-ping;
application junos-http;
application junos-https;
application junos-dns-tcp;
application junos-dns-udp;
}
}
#cluster#fxp0