Supported Platforms
Related Documentation
- SRX Series
- Understanding Active/Passive Chassis Cluster Deployment with an IPsec Tunnel
- Example: Configuring an Active/Passive Chassis Cluster Pair with an IPsec Tunnel (J-Web)
- Results of Enabling Chassis Cluster
- Understanding Chassis Cluster Formation
- Additional Information
- Chassis Cluster Feature Guide for Security Devices
Example: Configuring an Active/Passive Chassis Cluster Pair with an IPsec Tunnel
This example shows how to configure active/passive chassis clustering with an IPsec tunnel for SRX Series devices.
Requirements
Before you begin:
- Get two SRX5000 models with identical hardware configurations, one SRX210 edge router, and four EX Series Ethernet switches.
- Physically connect the two devices (back-to-back for the fabric and control ports) and ensure that they are the same models. You can configure both the fabric and control ports on the SRX5000 line.
- Set the two devices to cluster mode and reboot the devices.
You must enter the following operational mode commands on both devices,
for example:
- On node 0:user@host> set chassis cluster cluster-id 1 node 0 reboot
- On node 1:user@host> set chassis cluster cluster-id 1 node 1 reboot
The cluster ID is the same on both devices, but the node ID must be different because one device is node 0 and the other device is node 1. The range for the cluster ID is 1 through 255. Setting a cluster ID to 0 is equivalent to disabling a cluster.
Cluster ID greater than 15 can only be set when the fabric and control link interfaces are connected back-to-back.
- On node 0:
- Get two SRX5000 models with identical hardware configurations, one SRX210 edge router, and four EX Series Ethernet switches.
- Physically connect the two devices (back-to-back for the fabric and control ports) and ensure that they are the same models. You can configure both the fabric and control ports on the SRX5000 line.
From this point forward, configuration of the cluster is synchronized between the node members and the two separate devices function as one device. Member-specific configurations (such as the IP address of the management port of each member) are entered using configuration groups.
Overview
In this example, a single device in the cluster terminates in an IPsec tunnel and is used to process all traffic, and the other device is used only in the event of a failure. (See Figure 1.) When a failure occurs, the backup device becomes master and controls all forwarding.
Figure 1: Active/Passive Chassis Cluster with IPsec Tunnel Topology (SRX Series Devices)
In this example, you configure group (applying the configuration with the apply-groups command) and chassis cluster information. Then you configure IKE, IPsec, static route, security zone, and security policy parameters. See Table 1 through Table 7.
Table 1: Group and Chassis Cluster Configuration Parameters
Feature | Name | Configuration Parameters |
|---|---|---|
Groups | node0 |
|
node1 |
|
Table 2: Chassis Cluster Configuration Parameters
Feature | Name | Configuration Parameters |
|---|---|---|
Fabric links | fab0 | Interface: xe-5/3/0 |
fab1 | Interface: xe-17/3/0 | |
Number of redundant Ethernet interfaces | – | 2 |
Heartbeat interval | – | 1000 |
Heartbeat threshold | – | 3 |
Redundancy group | 0 |
|
1 |
| |
Interface monitoring
| ||
Interfaces | xe-5/1/0 | Redundant parent: reth1 |
xe-5/1/0 | Redundant parent: reth1 | |
xe-5/0/0 | Redundant parent: reth0 | |
xe-17/0/0 | Redundant parent: reth0 | |
reth0 | Redundancy group: 1 | |
| ||
reth1 | Redundancy group: 1 | |
| ||
st0 | ||
|
Table 3: IKE Configuration Parameters
Feature | Name | Configuration Parameters |
|---|---|---|
Proposal | proposal-set standard | - |
Policy | preShared |
|
Gateway | SRX210-1 |
Note: On all high-end SRX Series devices, only reth interfaces are supported for IKE external interface configuration in IPsec VPN. Other interface types can be configured, but IPsec VPN might not work. On all branch SRX Series devices, reth interfaces and the lo0 interface are supported for IKE external interface configuration in IPsec VPN. Other interface types can be configured, but IPsec VPN might not work. On all high-end SRX Series devices, the lo0 logical interface cannot be configured with RG0 if used as an IKE gateway external interface. |
Table 4: IPsec Configuration Parameters
Feature | Name | Configuration Parameters |
|---|---|---|
Proposal | proposal-set standard | – |
Policy | std | – |
VPN | SRX210-1 |
Note: The manual VPN name and the site-to-site gateway name cannot be the same. |
Table 5: Static Route Configuration Parameters
Name | Configuration Parameters |
|---|---|
0.0.0.0/0 | Next hop: 10.2.1.1 |
10.3.0.0/16 | Next hop: 10.10.1.2 |
Table 6: Security Zone Configuration Parameters
Name | Configuration Parameters |
|---|---|
trust |
|
untrust |
|
vpn |
|
Table 7: Security Policy Configuration Parameters
Purpose | Name | Configuration Parameters |
|---|---|---|
This security policy permits traffic from the trust zone to the untrust zone. | ANY |
|
This security policy permits traffic from the trust zone to the vpn zone. | vpn-any |
|
Configuration
CLI Quick Configuration
To quickly configure an active/passive chassis cluster pair with an IPsec tunnel, copy the following commands and paste them into the CLI:
Step-by-Step Procedure
To configure an active/passive chassis cluster pair with an IPsec tunnel:
- Configure control ports.{primary:node0}[edit]user@host# set chassis cluster control-ports fpc 2 port 0user@host# set chassis cluster control-ports fpc 14 port 0
- Configure the management interface.{primary:node0}[edit]user@host# set groups node0 system host-name SRX5800-1user@host# set groups node0 interfaces fxp0 unit 0 family inet address 172.19.100.50/24user@host#set groups node1 system host-name SRX5800-2user@host# set groups node1 interfaces fxp0 unit 0 family inet address 172.19.100.51/24user@host# set apply-groups “${node}”
- Configure the fabric interface.{primary:node0}[edit]user@host# set interfaces fab0 fabric-options member-interfaces xe-5/3/0user@host# set interfaces fab1 fabric-options member-interfaces xe-17/3/0
- Configure redundancy groups.{primary:node0}[edit]user@host# set chassis cluster reth-count 2user@host# set chassis cluster heartbeat-interval 1000user@host# set chassis cluster heartbeat-threshold 3user@host# set chassis cluster node 0user@host# set chassis cluster node 1user@host# set chassis cluster redundancy-group 0 node 0 priority 254user@host# set chassis cluster redundancy-group 0 node 1 priority 1user@host# set chassis cluster redundancy-group 1 node 0 priority 254user@host# set chassis cluster redundancy-group 1 node 1 priority 1user@host# set chassis cluster redundancy-group 1 preemptuser@host# set chassis cluster redundancy-group 1 interface-monitor xe-5/0/0 weight 255user@host# set chassis cluster redundancy-group 1 interface-monitor xe-5/1/0 weight 255user@host# set chassis cluster redundancy-group 1 interface-monitor xe-17/0/0 weight 255user@host# set chassis cluster redundancy-group 1 interface-monitor xe-17/1/0 weight 255
- Configure redundant Ethernet interfaces.{primary:node0}[edit]user@host# set interfaces xe-5/1/0 gigether-options redundant-parent reth1user@host# set interfaces xe-17/1/0 gigether-options redundant-parent reth1user@host# set interfaces xe-5/0/0 gigether-options redundant-parent reth0user@host# set interfaces xe-17/0/0 gigether-options redundant-parent reth0user@host# set interfaces reth0 redundant-ether-options redundancy-group 1user@host# set interfaces reth0 unit 0 family inet address 10.1.1.60/16user@host# set interfaces reth1 redundant-ether-options redundancy-group 1user@host# set interfaces reth1 unit 0 family inet address 10.2.1.60/16
- Configure IPsec parameters.{primary:node0}[edit]user@host# set interfaces st0 unit 0 multipoint family inet address 10.10.1.1/30user@host# set security ike policy preShared mode mainuser@host# set security ike policy preShared proposal-set standarduser@host# set security ike policy preShared pre-shared-key ascii-text "juniper"## Encrypted passworduser@host# set security ike gateway SRX210-1 ike-policy preShareduser@host# set security ike gateway SRX210-1 address 10.1.1.90user@host# set security ike gateway SRX210-1 external-interface reth0.0user@host# set security ipsec policy std proposal-set standarduser@host# set security ipsec vpn SRX210-1 bind-interface st0.0user@host# set security ipsec vpn SRX210-1 vpn-monitor optimizeduser@host# set security ipsec vpn SRX210-1 ike gateway SRX210-1user@host# set security ipsec vpn SRX210-1 ike ipsec-policy stduser@host# set security ipsec vpn SRX210-1 establish-tunnels immediately
- Configure static routes.{primary:node0}[edit]user@host# set routing-options static route 0.0.0.0/0 next-hop 10.2.1.1user@host# set routing-options static route 10.3.0.0/16 next-hop 10.10.1.2
- Configure security zones.{primary:node0}[edit]user@host# set security zones security-zone untrust host-inbound-traffic system-services alluser@host# set security zones security-zone untrust host-inbound-traffic protocols alluser@host# set security zones security-zone untrust interfaces reth1.0user@host# set security zones security-zone trust host-inbound-traffic system-services alluser@host# set security zones security-zone trust host-inbound-traffic protocols alluser@host# set security zones security-zone trust interfaces reth0.0user@host# set security zones security-zone vpn host-inbound-traffic system-services alluser@host# set security zones security-zone vpn host-inbound-traffic protocols alluser@host# set security zones security-zone vpn interfaces st0.0
- Configure security policies.{primary:node0}[edit]user@host# set security policies from-zone trust to-zone untrust policy ANY match source-address anyuser@host# set security policies from-zone trust to-zone untrust policy ANY match destination-address anyuser@host# set security policies from-zone trust to-zone untrust policy ANY match application anyuser@host# set security policies from-zone trust to-zone vpn policy vpn-any then permit
Step-by-Step Procedure
Results
From operational mode, confirm your configuration by entering the show configuration command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
user@host> show configurationversion x.xx.x;
groups {
node0 {
system {
host-name SRX58001;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.19.100.50/24;
}
}
}
}
}
node1 {
system {
host-name SRX58002;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.19.100.51/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password "$1$zTMjraKG$qU8rjxoHzC6Y/WDmYpR9r.";
}
}
chassis {
cluster {
reth-count 2;
heartbeat-interval 1000;
heartbeat-threshold 3;
control-ports {
fpc 2 port 0;
fpc 14 port 0;
}
redundancy-group 0 {
node 0 priority 254;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 254;
node 1 priority 1;
preempt;
interface-monitor {
xe–6/0/0 weight 255;
xe–6/1/0 weight 255;
xe–18/0/0 weight 255;
xe–18/1/0 weight 255;
}
}
}
}
interfaces {
xe–5/0/0 {
gigether–options {
redundant–parent reth0;
}
}
xe–5/1/0 {
gigether–options {
redundant–parent reth1;
}
}
xe–17/0/0 {
gigether–options {
redundant–parent reth0;
}
}
xe–17/1/0 {
gigether–options {
redundant–parent reth1;
}
}
fab0 {
fabric–options {
member–interfaces {
xe–5/3/0;
}
}
}
fab1 {
fabric–options {
member–interfaces {
xe–17/3/0;
}
}
}
reth0 {
redundant–ether–options {
redundancy–group 1;
}
unit 0 {
family inet {
address 10.1.1.60/16;
}
}
}
reth1 {
redundant–ether–options {
redundancy–group 1;
}
unit 0 {
family inet {
address 10.2.1.60/16;
}
}
}
st0 {
unit 0 {
multipoint;
family inet {
address 5.4.3.2/32;
}
}
}
}
routing–options {
static {
route 0.0.0.0/0 {
next–hop 10.2.1.1;
}
route 10.3.0.0/16 {
next–hop 10.10.1.2;
}
}
}
security {
zones {
security–zone trust {
host–inbound–traffic {
system–services {
all;
}
}
interfaces {
reth0.0;
}
}
security–zone untrust
host-inbound-traffic {
system-services {
all;
}
}
protocols {
all;
}
interfaces {
reth1.0;
}
}
security-zone vpn {
host-inbound-traffic {
system-services {
all;
}
}
protocols {
all;
}
interfaces {
st0.0;
}
}
}
policies {
from–zone trust to–zone untrust {
policy ANY {
match {
source–address any;
destination–address any;
application any;
}
then {
permit;
}
}
}
from–zone trust to–zone vpn {
policy vpn {
match {
source–address any;
destination–address any;
application any;
}
then {
permit;
}
}
}
}
}If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying Chassis Cluster Status
- Verifying Chassis Cluster Interfaces
- Verifying Chassis Cluster Statistics
- Verifying Chassis Cluster Control Plane Statistics
- Verifying Chassis Cluster Data Plane Statistics
- Verifying Chassis Cluster Redundancy Group Status
- Troubleshooting with Logs
Verifying Chassis Cluster Status
Purpose
Verify the chassis cluster status, failover status, and redundancy group information.
Action
From operational mode, enter the show chassis cluster status command.
{primary:node0}show chassis cluster statusCluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1
node0 1 primary no no
node1 254 secondary no no
Redundancy group: 1 , Failover count: 1
node0 1 primary yes no
node1 254 secondary yes no
Verifying Chassis Cluster Interfaces
Purpose
Verify the chassis cluster interfaces.
Action
From operational mode, enter the show chassis cluster interfaces command.
{primary:node0}user@host> show chassis cluster interfacesControl link name: fxp1
Redundant-ethernet Information:
Name Status Redundancy-group
reth0 Up 1
reth1 Up 1
Interface Monitoring:
Interface Weight Status Redundancy-group
xe-5/0/0 255 Up 1
xe-5/1/0 255 Up 1
xe-17/0/0 255 Up 1
xe-17/1/0 255 Up 1
Verifying Chassis Cluster Statistics
Purpose
Verify information about chassis cluster services and control link statistics (heartbeats sent and received), fabric link statistics (probes sent and received), and the number of RTOs sent and received for services.
Action
From operational mode, enter the show chassis cluster statistics command.
{primary:node0}user@host> show chassis cluster statisticsControl link statistics:
Control link 0:
Heartbeat packets sent: 258689
Heartbeat packets received: 258684
Heartbeat packets errors: 0
Fabric link statistics:
Child link 0
Probes sent: 258681
Probes received: 258681
Services Synchronized:
Service name RTOs sent RTOs received
Translation context 0 0
Incoming NAT 0 0
Resource manager 6 0
Session create 161 0
Session close 148 0
Session change 0 0
Gate create 0 0
Session ageout refresh requests 0 0
Session ageout refresh replies 0 0
IPSec VPN 0 0
Firewall user authentication 0 0
MGCP ALG 0 0
H323 ALG 0 0
SIP ALG 0 0
SCCP ALG 0 0
PPTP ALG 0 0
RPC ALG 0 0
RTSP ALG 0 0
RAS ALG 0 0
MAC address learning 0 0
GPRS GTP 0 0
Verifying Chassis Cluster Control Plane Statistics
Purpose
Verify information about chassis cluster control plane statistics (heartbeats sent and received) and the fabric link statistics (probes sent and received).
Action
From operational mode, enter the show chassis cluster control-panel statistics command.
{primary:node0}user@host> show chassis cluster control-plane
statisticsControl link statistics:
Control link 0:
Heartbeat packets sent: 258689
Heartbeat packets received: 258684
Heartbeat packets errors: 0
Fabric link statistics:
Child link 0
Probes sent: 258681
Probes received: 258681
Verifying Chassis Cluster Data Plane Statistics
Purpose
Verify information about the number of RTOs sent and received for services.
Action
From operational mode, enter the show chassis cluster data-plane statistics command.
{primary:node0}user@host> show chassis cluster data-plane statisticsServices Synchronized:
Service name RTOs sent RTOs received
Translation context 0 0
Incoming NAT 0 0
Resource manager 6 0
Session create 161 0
Session close 148 0
Session change 0 0
Gate create 0 0
Session ageout refresh requests 0 0
Session ageout refresh replies 0 0
IPSec VPN 0 0
Firewall user authentication 0 0
MGCP ALG 0 0
H323 ALG 0 0
SIP ALG 0 0
SCCP ALG 0 0
PPTP ALG 0 0
RPC ALG 0 0
RTSP ALG 0 0
RAS ALG 0 0
MAC address learning 0 0
GPRS GTP 0 0Verifying Chassis Cluster Redundancy Group Status
Purpose
Verify the state and priority of both nodes in a cluster and information about whether the primary node has been preempted or whether there has been a manual failover.
Action
From operational mode, enter the chassis cluster status redundancy-group command.
{primary:node0}user@host> show chassis cluster status redundancy-group
1Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy-Group: 1, Failover count: 1
node0 0 primary yes no
node1 254 secondary yes no
Troubleshooting with Logs
Purpose
Use these logs to identify any chassis cluster issues. You should run these logs on both nodes.
Action
From operational mode, enter these show commands.
Related Documentation
- SRX Series
- Understanding Active/Passive Chassis Cluster Deployment with an IPsec Tunnel
- Example: Configuring an Active/Passive Chassis Cluster Pair with an IPsec Tunnel (J-Web)
- Results of Enabling Chassis Cluster
- Understanding Chassis Cluster Formation
- Additional Information
- Chassis Cluster Feature Guide for Security Devices
Published: 2015-02-27
Supported Platforms
Related Documentation
- SRX Series
- Understanding Active/Passive Chassis Cluster Deployment with an IPsec Tunnel
- Example: Configuring an Active/Passive Chassis Cluster Pair with an IPsec Tunnel (J-Web)
- Results of Enabling Chassis Cluster
- Understanding Chassis Cluster Formation
- Additional Information
- Chassis Cluster Feature Guide for Security Devices
