Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring L2 HA Link Encryption tunnel

Physically connect the two devices and ensure that they are the same models. Connect the dedicated control ports on node 0 and node 1. Connect the user defined fabricated ports on node 0 and node 1. To configure two chassis in cluster mode, follow the below steps:

  1. Zeroize both the SRX Series Firewalls before you use for cluster. If the devices are already in cluster mode please make sure you disable them before the zeroize process. For information on how to disable chassis cluster, see Disabling a Chassis Cluster. Zeroize is achieved by removing the vSRX Virtual Firewall virtual machine from the datastore as mentioned in Understanding Zeroization.
  2. Delete the web management services.
  3. Configure FIPS mode and bring up the devices in FIPS mode.
  4. Configure device 1 with standard cluster commands for operating in cluster mode as node0 with control port configuration. See Chassis Cluster Control Plane Interfaces.
  5. After the device 1 is up, configure HA link encryption as shown in sample configuration below, commit and reboot. Device 1 needs to be configured with both node0 and node1 HA link encryption configuration before commit and reboot.
  6. To proceed further with device 2 configuration and commit, you need to ensure device 1 and device 2 are not reachable to each other. One way to achieve this is to power off device 1 at this point.
  7. Configure device 2 with standard cluster commands for operating in cluster mode as node1 with control port configuration. See Chassis Cluster Control Plane Interfaces.
  8. After the device 2 is up, configure HA link encryption as shown in sample configuration below on device 2. Device 2 needs to be configured with both node0 and node1 HA link encryption configuration. Commit on node1 (device 2), and finally reboot node1 (device 2).