Configure Cluster (HA) Setup

Before you begin:

Establish a chassis cluster connection between the two units, ensure that you have physical access to both the devices.
You must configure the two devices separately.
Your other unit must be on the same hardware and software version as the current unit.
Note that both units are erased and rebooted, after which all existing data is irretrievable. You have the option to save a backup copy of your configuration before rebooting.

You are here: Device Administration > Cluster Management > Cluster Configuration.

The Junos OS provides high availability on SRX Series Firewall by using chassis clustering. SRX Series Firewalls can be configured to operate in cluster mode, where a pair of devices can be connected together and configured to operate like a single node, providing device, interface, and service level redundancy.

Note:

Starting in Junos OS Release 23.4R1, J-Web supports SRX1600 and SRX2300 Firewalls.
Starting in Junos OS Release 24.2R1, J-Web supports SRX4300 Firewall.

A chassis cluster can be configured in the following modes:

Active/passive mode: In active/passive mode, transit traffic passes through the primary node while the backup node is used only in the event of a failure. When a failure occurs, the backup device becomes primary and takes over all forwarding tasks.
Active/active mode: In active/active mode, has transit traffic passing through both nodes of the cluster all of the time.

Note:

In the J-Web cluster (HA) setup, you can only configure active/passive mode (RG1).

You can set up chassis cluster using a simplified Cluster (HA) Mode wizard when the standalone SRX Series Firewalls are in factory default. You can also create HA using the same wizard from Device Administration > Reset Configuration when the devices are already in the network.

Note:

In the factory default settings, a warning message is displayed in SRX300, SRX320, SRX320-POE, SRX340, SRX345, and SRX380 devices to disconnect the ports between the two nodes. This is to avoid displaying the details of the other nodes.

Device Administration > Cluster Management > Cluster Configuration

To set up cluster (HA):

Select Cluster (HA) Setup.
Note:
For the secondary node to be set up or if the primary and secondary nodes are not already connected, click Proceed. If you want to set up the primary node, then disconnect back to back connected ports between the two nodes and click Refresh to reload the browser.

The Setup Chassis Cluster wizard page appears. This wizard guides you through configuring chassis cluster on a two-unit cluster.

Select the unit

The welcome page shows the possible chassis cluster connections that you can configure for your SRX Series Firewall. It shows a graphical representation for primary unit (Node 0) and secondary unit (Node 1) and guides you to first configure the primary unit (node 0).
Select Yes, this is the primary unit (Node 0). to select the unit.
Note:
If you have already configured the primary node settings, then select No, this is the secondary unit (Node 1) and follow the instructions from Step 8.
Click Next.

To configure the primary unit, complete the configuration according to the guidelines provided in Table 1.

Table 1: Primary Unit Configuration
Field	Description	Action
System Identity
Node 0 Cluster ID	Specifies the number by which a cluster is identified.	Enter a number from 1 through 255. By default, 1 is assigned.
Node 0 Priority	Specifies the device priority for being elected to be the primary device in the VRRP group.	Enter a number from 1 through 255. By default, 200 is assigned.
Node 1 Priority	Specifies the device priority for being elected to be the primary device in the VRRP group.	Enter a number from 1 through 255. By default, 100 is assigned.
Node 0 Host Name	Specifies the device host name of the node 0.	By default, host name is assigned. For example, SRX1500-01.
Node 1 Host Name	Specifies the device host name of the node 1.	By default, host name is assigned. For example, SRX1500-02.
Allow root user SSH login	Allows users to log in to the device as root through SSH.	Enable this option.
Management Interface
IPv4 Address Note: Make a note of the IPv4 address as you need it to access the settings after you commit the configuration.
Node 0 Management IPv4	Specifies the management IPv4 address of node 0.	Enter a valid IPv4 address for the management interface.
Node 0 Subnet Mask	Specifies subnet mask for IPv4 address.	Enter a subnet mask for the IPv4 address.
Node 1 Management IPv4	Specifies the management IPv4 address of node 1.	Enter a valid IPv4 address for the management interface.
Node 1 Subnet Mask	Specifies subnet mask for IPv4 address.	Enter a subnet mask for the IPv4 address.
Static Route IP	Defines how to route to the other network devices.	Enter an IPv4 address for the static route.
Static Route Subnet	Specifies the subnet for the static route IPv4 address.	Enter a subnet mask for the static route IPv4 address.
Next Hop IPv4	Specifies next hop gateway for the IPv4 address.	Enter a valid IPv4 address for the next hop.
IPv6 Address (Optional)
Node 0 Management IPv6	Specifies the management IPv6 address of node 0.	Enter a valid IPv6 address for the management interface.
Node 0 Subnet Prefix	Specifies subnet prefix for IPv6 address.	Enter a subnet prefix for the IPv6 address.
Node 1 Management IPv6	Specifies the management IPv6 address of node 1.	Enter a valid IPv6 address for the management interface.
Node 1 Subnet Prefix	Specifies subnet prefix for IPv6 address.	Enter a subnet prefix for the IPv6 address.
Static Route IPv6	Defines how to route to the other network devices.	Enter an IPv6 address for the static route.
Static Route Subnet Prefix	Specifies the subnet prefix for the static route IPv6 address.	Enter a subnet prefix for the static route IPv6 address.
Next Hop IPv6	Specifies next hop gateway for the IPv6 address.	Enter a valid IPv6 address for the next hop.
Device Password
Root Password	Specifies root password of the device.	Enter root password if not already configured for the device.
Re-Enter Password	-	Reenter the root password.
Control Ports Note: This option is available only for SRX5600 and SRX5800 devices.
Dual Link	Provides redundant link for failover.	By default, this option is disabled. Once you enable this option, the following fields appear: Link 1 Node 0 FPC—Select an option from the list. Node 0 Port—Select an option from the list. Node 1 FPC. Node 1 Port. Link 2 (Optional) Node 0 FPC—Select an option from the list. Node 0 Port—Select an option from the list. Node 1 FPC. Node 1 Port.
Node 0 FPC	Specifies FPC slot number on which to configure the control port.	Select an option from the list.
Node 0 Port	Specifies port number on which to configure the control port.	Select an option from the list.
Node 1 FPC	Optional. Specifies FPC slot number on which to configure the control port.	Select an option from the list.
Node 1 Port	Optional. Specifies port number on which to configure the control port.	Select an option from the list.
Save Backup (Optional)
Save Backup (to client)	Saves backup of the current configuration to the client local machine. Note: When restarting the primary unit, J-Web deletes the existing configuration to configure chassis cluster. Therefore, it is recommended that you save a backup file of your current settings before committing the new configuration.	Enable the option to save the backup file of your settings.

Click Reboot and Continue to restart the primary unit to configure chassis cluster.
After rebooting the primary unit (node 0), connect to the management port of the secondary unit to switch to the secondary unit.
Click Refresh if the management IP address of the secondary unit is same as the existing device default IP address. If not, open a new browser with the new secondary device IP address.

To configure the secondary unit, complete the configuration according to the guidelines provided in Table 2.

Table 2: Secondary Unit Configuration
Field	Description	Action
Secondary Unit Information
Cluster ID	Specifies the number by which a cluster is identified. Note: Cluster ID must be same for both primary and secondary units.	Enter a number from 1 through 255. By default, 1 is assigned.
Device Password
Root Password	Specifies root password of the device.	Enter new root password.
Re-Enter Password	-	Reenter the root password.
Control Ports Note: This option is available only for SRX5600 and SRX5800 devices.
Dual Link	Provides redundant link for failover.	By default, this option is disabled. Once you enable dual link option, the following fields appear: Link 1 Node 0 FPC—Select an option from the list. Node 0 Port—Select an option from the list. Node 1 FPC. Node 1 Port. Link 2 (Optional) Node 0 FPC—Select an option from the list. Node 0 Port—Select an option from the list. Node 1 FPC. Node 1 Port.
Node 0 FPC	Specifies FPC slot number on which to configure the control port.	Select an option from the list.
Node 0 Port	Specifies port number on which to configure the control port.	Select an option from the list.
Node 1 FPC	Optional. Specifies FPC slot number on which to configure the control port.	Select an option from the list.
Node 1 Port	Optional. Specifies port number on which to configure the control port.	Select an option from the list.
Save Backup (Optional)
Save Backup (to client)	Saves backup of the current configuration to the client local machine. Note: When restarting the secondary unit, J-Web deletes the existing configuration to configure chassis cluster. Therefore, it is recommended that you save a backup file of your current settings before committing the new configuration.	Enable the option to save the backup file of your settings.

Click Reboot and Continue to restart the secondary unit to configure chassis cluster.
After rebooting the secondary unit (node 1), launch the J-Web UI using primary unit management IP address.
Navigate to Cluster Management > Cluster (HA) Setup.
The Cluster Wizard page will open and displays the Cluster Status step.
Note:
- J-Web uses show chassis cluster status to verify control link status. Number on the link signifies if it is single (1) or dual links (2).
  
  The control and fabric link status colors are as follows:
  
  Green—Indicates that the links are up.
  
  Red—Indicates that the links are down.
  
  Orange—Indicates that one of the dual links is up.
  
  Grey—Indicates that the fabric link is not configured.
- If chassis cluster is not connected, then the connection is failed and all possible failure reasons will be displayed. For information on troubleshooting tips, see Juniper Knowledge Search.
- You can configure fabric link only after the chassis cluster is formed. For the first time configuration, the chassis status displays as The fabric ports links is not yet configured.

To configure fabric link, complete the configuration according to the guidelines provided in Table 3.

Table 3: Fabric Link Configuration
Field	Description	Action
Fabric Link Details
Dual Link	Provides redundant link for failover.	Enable this option.
Link 1
Fabric 0	Specifies the fabric port link for node 0.	Select an interface from the list.
Fabric 1	Specifies the fabric port link for node 1.	-
Link 2 (Optional)
Fabric 0	Specifies the secondary fabric port link for node 0.	Select an interface from the list.
Fabric 1	Specifies the secondary fabric port link for node 1.	-

Click Configure Link.
Click Next.

To add redundant Ethernet (reth) interface, click + and complete the configuration according to the guidelines provided in Table 4.

Note:

You can also use the pencil icon to edit the reth interface and delete icon to delete the reth interfaces.

Table 4: Add Reth Interface
Field	Description	Action
RETH Name	Specifies the reth interface name.	Enter a name for reth interface.
Node 0 Interfaces	Specifies the list of Node 0 interfaces.	Select an interface from the Available column and move it to the Selected column.
Node 1	Specifies the Node 1 interfaces based on the node 0 interfaces.	-
Advance Settings
LACP Configuration	Optional. Configure Link Aggregation Control Protocol (LACP).	-
LACP Mode	Optional. Specifies the LACP mode. Available options are: active—Initiate transmission of LACP packets. passive—Respond to LACP packets. periodic—Interval for periodic transmission of LACP packets.	Select an option from the list.
Periodicity	Optional. Specifies the interval at which the interfaces on the remote side of the link transmit link aggregation control protocol data units (PDUs). Available options are: fast—Transmit link aggregation control PDUs every second. slow—Transmit link aggregation control PDUs every 30 seconds.	Select an option from the list.
Description	Optional. Specifies the description for LACP.	Enter a description.
VLAN Tagging	Optional. Specifies whether or not to enable VLAN tagging.	Enable this option.
Redundancy Group	Specifies the number of the redundancy group that the reth interface belongs to.	-

Click Save.
Virtual reth interface is created.

To add a logical interface to the new virtual reth interfaces, complete the configuration according to the guidelines provided in Table 5.

Table 5: Add Reth Logical Interface
Field	Description	Action
General
Reth Interface Name	Specifies the name of the reth interface.	Enter a name for the reth interface.
Logical Interface Unit	Specifies the logical interface unit.	Enter the logical interface unit.
Description	Specifies the description of the reth interface.	Enter the description.
VLAN ID	Optional. Specifies the VLAN ID.	Enter the VLAN ID.
IPv4 Address
IPv4 Address	Specifies the IPv4 address.	Click + and enter a valid IP address.
Subnet Mask	Specifies the subnet mask for IPv4 address.	Enter a valid subnet mask.
IPv6 Address (Optional)
IPv6 Address	Specifies the IPv6 address.	Enter a valid IP address.
Prefix Length	Specifies the number of bits set in the subnet mask.	Enter the prefix length.

Click OK.

To configure zones, complete the configuration according to the guidelines provided in Table 6.

Note:

With factory default configuration, trust and untrust zones are displayed by default.
You can edit the security zone, add new zones, and delete the newly added zones. You will receive an error message while committing if you try to delete a default zone. This is because, the default zones are referenced in the security policies.
You can also edit zone description, application tracking, source identity log, interfaces, system services, protocols, and traffic control options.

Table 6: Create Zones
Field	Description	Action
General Information
Name	Specifies the name of the zone.	Enter a name for the zone.
Description	Specifies a description for the zone.	Enter a description for the zone.
Application Tracking	Enables application tracking (AppTrack) to collect statistics for the application usage on the device, and when the session closes	Enable this option.
Source Identity Log	Specifies the source-identity-log parameter as part of the configuration for a zone to enable it to trigger user identity logging when that zone is used as the source zone (from-zone) in a security policy.	Enable this option.
Interfaces
Interfaces	Specifies the list of reth interfaces available.	Select an interface from the Available column and move it to the Selected column.
System Services
Except	Drops the selected services.	Enable this option if you want to drop the selected services.
Services	Specify the types of incoming system service traffic that can reach the device for all interfaces in a zone.	Select a service from the Available column and move it to the Selected column.
Protocols
Except	Drops the selected protocols.	Enable this option if you want to drop the selected protocols.
Protocols	Specify the types of routing protocol traffic that can reach the device on a per-interface basis.	Select a protocol from the Available column and move it to the Selected column.
Traffic Control Options
TCP Reset	Specifies the device to send a TCP segment with the RST (reset) flag set to 1 (one) in response to a TCP segment with any flag other than SYN set and that does not belong to an existing session.	Enable this option.

Click OK.
Click Finish.
A cluster setup success message appears.

If you click the Cluster (HA) Setup menu again, a cluster setup success message appears, and you can click Cluster Configuration to view and edit the chassis cluster configuration.

Note:
If the chassis cluster configuration fails after you click Finish, then edit the configuration as required and commit the changes again.

Configure Cluster (HA) Setup

Related Documentation