Understanding Active/Passive Chassis Cluster Deployment with an IPsec Tunnel
In this case, a single device in the cluster terminates in an IPsec tunnel and is used to process all traffic while the other device is used only in the event of a failure (see Figure 103). When a failure occurs, the backup device becomes master and controls all forwarding.
Figure 103: Active/Passive Chassis Cluster with IPsec Tunnel Scenario (SRX Series Devices)
An active/passive chassis cluster can be achieved by using redundant Ethernet interfaces (reths) that are all assigned to the same redundancy group. If any of the interfaces in an active group in a node fails, the group is declared inactive and all the interfaces in the group will fail over to the other node.
This configuration provides a way for a site-to-site IPsec tunnel to terminate in an active/passive cluster where a redundant Ethernet interface is used as the tunnel endpoint. In the event of a failure, the redundant Ethernet interface in the backup SRX Series device will become active, forcing the tunnel to change endpoints to terminate in the new active SRX Series device. Because tunnel keys and session information are synchronized between the members of the chassis cluster, a failover will not require the tunnel to be renegotiated and all established sessions will be maintained.
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Example: Configuring an Active/Passive Chassis Cluster Pair with an IPsec Tunnel (CLI)
- Example: Configuring an Active/Passive Chassis Cluster Pair with an IPsec Tunnel (J-Web)
- Understanding What Happens When Chassis Cluster Is Enabled
- Understanding Chassis Cluster Formation