Configure Cluster (HA) Setup
Before you begin:
Establish a chassis cluster connection between the two units, ensure that you have physical access to both the devices.
You must configure the two devices separately.
Your other unit must be on the same hardware and software version as the current unit.
Note that both units are erased and rebooted, after which all existing data is irretrievable. You have the option to save a backup copy of your configuration before rebooting.
You are here: Device Administration > Cluster Management > Cluster Configuration.
The Junos OS provides high availability on SRX Series Firewall by using chassis clustering. SRX Series Firewalls can be configured to operate in cluster mode, where a pair of devices can be connected together and configured to operate like a single node, providing device, interface, and service level redundancy.
A chassis cluster can be configured in the following modes:
Active/passive mode: In active/passive mode, transit traffic passes through the primary node while the backup node is used only in the event of a failure. When a failure occurs, the backup device becomes primary and takes over all forwarding tasks.
Active/active mode: In active/active mode, has transit traffic passing through both nodes of the cluster all of the time.
In the J-Web cluster (HA) setup, you can only configure active/passive mode (RG1).
You can set up chassis cluster using a simplified Cluster (HA) Mode wizard when the standalone SRX Series Firewalls are in factory default. You can also create HA using the same wizard from Device Administration > Reset Configuration when the devices are already in the network.
In the factory default settings, a warning message is displayed in SRX300, SRX320, SRX320-POE, SRX340, SRX345, and SRX380 devices to disconnect the ports between the two nodes. This is to avoid displaying the details of the other nodes.
Device Administration > Cluster Management > Cluster Configuration
To set up cluster (HA):
- Select Cluster (HA) Setup.Note:
For the secondary node to be set up or if the primary and secondary nodes are not already connected, click Proceed. If you want to set up the primary node, then disconnect back to back connected ports between the two nodes and click Refresh to reload the browser.
The Setup Chassis Cluster wizard page appears. This wizard guides you through configuring chassis cluster on a two-unit cluster.
Select the unit
The welcome page shows the possible chassis cluster connections that you can configure for your SRX Series Firewall. It shows a graphical representation for primary unit (Node 0) and secondary unit (Node 1) and guides you to first configure the primary unit (node 0).
- Select Yes, this is the primary unit (Node 0). to select the unit.Note:
If you have already configured the primary node settings, then select No, this is the secondary unit (Node 1) and follow the instructions from Step 8.
- Click Next.
- To configure the primary unit, complete the configuration
according to the guidelines provided in Table 1.
Table 1: Primary Unit Configuration Field
Description
Action
System Identity Node 0 Cluster ID
Specifies the number by which a cluster is identified.
Enter a number from 1 through 255. By default, 1 is assigned.
Node 0 Priority
Specifies the device priority for being elected to be the primary device in the VRRP group.
Enter a number from 1 through 255. By default, 200 is assigned.
Node 1 Priority
Specifies the device priority for being elected to be the primary device in the VRRP group.
Enter a number from 1 through 255. By default, 100 is assigned.
Node 0 Host Name
Specifies the device host name of the node 0.
By default, host name is assigned. For example, SRX1500-01.
Node 1 Host Name
Specifies the device host name of the node 1.
By default, host name is assigned. For example, SRX1500-02.
Allow root user SSH login
Allows users to log in to the device as root through SSH.
Enable this option.
Management Interface IPv4 Address Note:Make a note of the IPv4 address as you need it to access the settings after you commit the configuration.
Node 0 Management IPv4
Specifies the management IPv4 address of node 0.
Enter a valid IPv4 address for the management interface.
Node 0 Subnet Mask
Specifies subnet mask for IPv4 address.
Enter a subnet mask for the IPv4 address.
Node 1 Management IPv4
Specifies the management IPv4 address of node 1.
Enter a valid IPv4 address for the management interface.
Node 1 Subnet Mask
Specifies subnet mask for IPv4 address.
Enter a subnet mask for the IPv4 address.
Static Route IP
Defines how to route to the other network devices.
Enter an IPv4 address for the static route.
Static Route Subnet
Specifies the subnet for the static route IPv4 address.
Enter a subnet mask for the static route IPv4 address.
Next Hop IPv4
Specifies next hop gateway for the IPv4 address.
Enter a valid IPv4 address for the next hop.
IPv6 Address (Optional) Node 0 Management IPv6
Specifies the management IPv6 address of node 0.
Enter a valid IPv6 address for the management interface.
Node 0 Subnet Prefix
Specifies subnet prefix for IPv6 address.
Enter a subnet prefix for the IPv6 address.
Node 1 Management IPv6
Specifies the management IPv6 address of node 1.
Enter a valid IPv6 address for the management interface.
Node 1 Subnet Prefix
Specifies subnet prefix for IPv6 address.
Enter a subnet prefix for the IPv6 address.
Static Route IPv6
Defines how to route to the other network devices.
Enter an IPv6 address for the static route.
Static Route Subnet Prefix
Specifies the subnet prefix for the static route IPv6 address.
Enter a subnet prefix for the static route IPv6 address.
Next Hop IPv6
Specifies next hop gateway for the IPv6 address.
Enter a valid IPv6 address for the next hop.
Device Password Root Password
Specifies root password of the device.
Enter root password if not already configured for the device.
Re-Enter Password
-
Reenter the root password.
Control Ports Note:This option is available only for SRX5600 and SRX5800 devices.
Dual Link
Provides redundant link for failover.
By default, this option is disabled.
Once you enable this option, the following fields appear:
Link 1
Node 0 FPC—Select an option from the list.
Node 0 Port—Select an option from the list.
Node 1 FPC.
Node 1 Port.
Link 2 (Optional)
Node 0 FPC—Select an option from the list.
Node 0 Port—Select an option from the list.
Node 1 FPC.
Node 1 Port.
Node 0 FPC
Specifies FPC slot number on which to configure the control port.
Select an option from the list.
Node 0 Port
Specifies port number on which to configure the control port.
Select an option from the list.
Node 1 FPC
Optional. Specifies FPC slot number on which to configure the control port.
Select an option from the list.
Node 1 Port
Optional. Specifies port number on which to configure the control port.
Select an option from the list.
Save Backup (Optional) Save Backup (to client)
Saves backup of the current configuration to the client local machine.
Note:When restarting the primary unit, J-Web deletes the existing configuration to configure chassis cluster. Therefore, it is recommended that you save a backup file of your current settings before committing the new configuration.
Enable the option to save the backup file of your settings.
- Click Reboot and Continue to restart the primary unit to configure chassis cluster.
- After rebooting the primary unit (node 0), connect to the management port of the secondary unit to switch to the secondary unit.
- Click Refresh if the management IP address of the secondary unit is same as the existing device default IP address. If not, open a new browser with the new secondary device IP address.
- To configure
the secondary unit, complete the configuration according to the guidelines
provided in Table 2.
Table 2: Secondary Unit Configuration Field
Description
Action
Secondary Unit Information Cluster ID
Specifies the number by which a cluster is identified.
Note:Cluster ID must be same for both primary and secondary units.
Enter a number from 1 through 255. By default, 1 is assigned.
Device Password Root Password
Specifies root password of the device.
Enter new root password.
Re-Enter Password
-
Reenter the root password.
Control Ports Note:This option is available only for SRX5600 and SRX5800 devices.
Dual Link
Provides redundant link for failover.
By default, this option is disabled.
Once you enable dual link option, the following fields appear:
Link 1
Node 0 FPC—Select an option from the list.
Node 0 Port—Select an option from the list.
Node 1 FPC.
Node 1 Port.
Link 2 (Optional)
Node 0 FPC—Select an option from the list.
Node 0 Port—Select an option from the list.
Node 1 FPC.
Node 1 Port.
Node 0 FPC
Specifies FPC slot number on which to configure the control port.
Select an option from the list.
Node 0 Port
Specifies port number on which to configure the control port.
Select an option from the list.
Node 1 FPC
Optional. Specifies FPC slot number on which to configure the control port.
Select an option from the list.
Node 1 Port
Optional. Specifies port number on which to configure the control port.
Select an option from the list.
Save Backup (Optional) Save Backup (to client)
Saves backup of the current configuration to the client local machine.
Note:When restarting the secondary unit, J-Web deletes the existing configuration to configure chassis cluster. Therefore, it is recommended that you save a backup file of your current settings before committing the new configuration.
Enable the option to save the backup file of your settings.
- Click Reboot and Continue to restart the secondary unit to configure chassis cluster.
- After rebooting the secondary unit (node 1), launch the J-Web UI using primary unit management IP address.
- Navigate to Cluster Management > Cluster
(HA) Setup.
The Cluster Wizard page will open and displays the Cluster Status step.
Note:J-Web uses
show chassis cluster status
to verify control link status. Number on the link signifies if it is single (1) or dual links (2).The control and fabric link status colors are as follows:
Green—Indicates that the links are up.
Red—Indicates that the links are down.
Orange—Indicates that one of the dual links is up.
Grey—Indicates that the fabric link is not configured.
If chassis cluster is not connected, then the connection is failed and all possible failure reasons will be displayed. For information on troubleshooting tips, see Juniper Knowledge Search.
You can configure fabric link only after the chassis cluster is formed. For the first time configuration, the chassis status displays as
The fabric ports links is not yet configured
.
- To configure fabric link, complete the configuration according
to the guidelines provided in Table 3.
Table 3: Fabric Link Configuration Field
Description
Action
Fabric Link Details Dual Link
Provides redundant link for failover.
Enable this option.
Link 1 Fabric 0
Specifies the fabric port link for node 0.
Select an interface from the list.
Fabric 1
Specifies the fabric port link for node 1.
-
Link 2 (Optional) Fabric 0
Specifies the secondary fabric port link for node 0.
Select an interface from the list.
Fabric 1
Specifies the secondary fabric port link for node 1.
-
- Click Configure Link.
- Click Next.
- To add redundant Ethernet (reth) interface, click + and complete the configuration according to the guidelines
provided in Table 4.Note:
You can also use the pencil icon to edit the reth interface and delete icon to delete the reth interfaces.
Table 4: Add Reth Interface Field
Description
Action
RETH Name
Specifies the reth interface name.
Enter a name for reth interface.
Node 0 Interfaces
Specifies the list of Node 0 interfaces.
Select an interface from the Available column and move it to the Selected column.
Node 1
Specifies the Node 1 interfaces based on the node 0 interfaces.
-
Advance Settings LACP Configuration
Optional. Configure Link Aggregation Control Protocol (LACP).
-
LACP Mode
Optional. Specifies the LACP mode.
Available options are:
active—Initiate transmission of LACP packets.
passive—Respond to LACP packets.
periodic—Interval for periodic transmission of LACP packets.
Select an option from the list.
Periodicity
Optional. Specifies the interval at which the interfaces on the remote side of the link transmit link aggregation control protocol data units (PDUs).
Available options are:
fast—Transmit link aggregation control PDUs every second.
slow—Transmit link aggregation control PDUs every 30 seconds.
Select an option from the list.
Description
Optional. Specifies the description for LACP.
Enter a description.
VLAN Tagging
Optional. Specifies whether or not to enable VLAN tagging.
Enable this option.
Redundancy Group
Specifies the number of the redundancy group that the reth interface belongs to.
-
- Click Save.
Virtual reth interface is created.
- To add a logical interface to the new virtual reth interfaces,
complete the configuration according to the guidelines provided in Table 5.
Table 5: Add Reth Logical Interface Field
Description
Action
General Reth Interface Name
Specifies the name of the reth interface.
Enter a name for the reth interface.
Logical Interface Unit
Specifies the logical interface unit.
Enter the logical interface unit.
Description
Specifies the description of the reth interface.
Enter the description.
VLAN ID
Optional. Specifies the VLAN ID.
Enter the VLAN ID.
IPv4 Address IPv4 Address
Specifies the IPv4 address.
Click + and enter a valid IP address.
Subnet Mask
Specifies the subnet mask for IPv4 address.
Enter a valid subnet mask.
IPv6 Address (Optional) IPv6 Address
Specifies the IPv6 address.
Enter a valid IP address.
Prefix Length
Specifies the number of bits set in the subnet mask.
Enter the prefix length.
- Click OK.
- To configure zones, complete the configuration according
to the guidelines provided in Table 6.Note:
With factory default configuration, trust and untrust zones are displayed by default.
You can edit the security zone, add new zones, and delete the newly added zones. You will receive an error message while committing if you try to delete a default zone. This is because, the default zones are referenced in the security policies.
You can also edit zone description, application tracking, source identity log, interfaces, system services, protocols, and traffic control options.
Table 6: Create Zones Field
Description
Action
General Information Name
Specifies the name of the zone.
Enter a name for the zone.
Description
Specifies a description for the zone.
Enter a description for the zone.
Application Tracking
Enables application tracking (AppTrack) to collect statistics for the application usage on the device, and when the session closes
Enable this option.
Source Identity Log
Specifies the source-identity-log parameter as part of the configuration for a zone to enable it to trigger user identity logging when that zone is used as the source zone (from-zone) in a security policy.
Enable this option.
Interfaces Interfaces
Specifies the list of reth interfaces available.
Select an interface from the Available column and move it to the Selected column.
System Services Except
Drops the selected services.
Enable this option if you want to drop the selected services.
Services
Specify the types of incoming system service traffic that can reach the device for all interfaces in a zone.
Select a service from the Available column and move it to the Selected column.
Protocols Except
Drops the selected protocols.
Enable this option if you want to drop the selected protocols.
Protocols
Specify the types of routing protocol traffic that can reach the device on a per-interface basis.
Select a protocol from the Available column and move it to the Selected column.
Traffic Control Options TCP Reset
Specifies the device to send a TCP segment with the RST (reset) flag set to 1 (one) in response to a TCP segment with any flag other than SYN set and that does not belong to an existing session.
Enable this option.
- Click OK.
- Click Finish.
A cluster setup success message appears.
If you click the Cluster (HA) Setup menu again, a cluster setup success message appears, and you can click Cluster Configuration to view and edit the chassis cluster configuration.
Note:If the chassis cluster configuration fails after you click Finish, then edit the configuration as required and commit the changes again.