Configure IP Monitoring in SRX Cluster

Spread the love




There might be case in our network where we want to fail-over to secondary node when the Internet connection breaks or link breaks. In Juniper SRX cluster, you can configure fail-over in a way that if a specified IP address is unreachable then failover is initiated. Interface monitor feature configured in redundancy group is unable to accomplish such failover, so there is other feature called IP monitor. IP monitoring allows you to monitor specific IP address and when the specified IP address is unreachable, the fail-over is initiated. You can easily configure IP monitoring in SRX cluster. Generally, the IP to be monitored is the gateway IP address.

Configure IP Monitoring in SRX Cluster

In our scenario, we have active/passive SRX cluster configured already. As seen in the diagram below, we have SRX node 0 as primary and node 1 as secondary. The public IP address configured on Reth0 is 2.2.2.2/29 and the gateway is 2.2.2.1 to reach the Internet. In case as shown below if one of the internet link between switch and ISP fails, then the Internet connection will not be available. So IP monitoring feature must be configured in order to switch the SRX cluster node if one of the link between switch and Internet fails.

Active Passive Monitoring

The SRX redundancy groups configuration looks like this,



{primary:node0}[edit chassis cluster]
root@SRX_NODE01# show
control-link-recovery;
reth-count 3;
redundancy-group 0 {
node 0 priority 254;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 150;
gratuitous-arp-count 15;
interface-monitor {
ge-0/0/3 weight 255;
ge-5/0/3 weight 255;
ge-0/0/4 weight 255;
ge-5/0/4 weight 255;
}
}

Now, let’s configure IP Monitoring. Our goal is to configure SRX node failover such that if primary Internet link between switch and ISP fails, then node 1 will be primary node for redundancy group 1 and Internet traffic will pass from secondary link.

{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring global-weight 255 [This command will set global weight of 255]

{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring global-threshold 80 [This command will set global threshold of 80]

{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring retry-interval 3 [This command will set retry interval of 3 seconds. This means the device will ping the monitored IP once every 3 seconds.]

{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring retry-count 6  [This command will set retry count of 6 times. If the gateway is unreachable, the device will ping 6 times every 3 seconds before it declares the monitored IP address is unreachable. So the wait is total 18 seconds.]

{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring family inet 2.2.2.1 weight 80 [This is the monitored IP address. This IP is generally the gateway IP address. If the gateway address is declared unreachable, then this weight is deducted from global-threshold weight. So, if the result is 0 then failover is initiated, otherwise not. In our case, failover is initiated.]

{primary:node0}[edit chassis cluster]
root@SRXNODE01# set redundancy-group 1 ip-monitoring family inet 2.2.2.1 interface reth0.0 secondary-ip-address 2.2.2.3 [This command sets the source Reth interface that will send the Ping requests, and also sets the secondary IP address that will be used as source IP addres for secondary node while pinging the monitored IP address.]

To view the configuration type show under the same hierarchy.

{primary:node0}[edit chassis cluster]
root@SRX_NODE01# show
control-link-recovery;
reth-count 3;
redundancy-group 0 {
node 0 priority 254;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 150;
gratuitous-arp-count 15;
interface-monitor {
ge-0/0/3 weight 255;
ge-5/0/3 weight 255;
ge-0/0/4 weight 255;
ge-5/0/4 weight 255;
}
ip-monitoring {
global-weight 255;
global-threshold 80;
retry-interval 3;
retry-count 6;
family {
inet {
2.2.2.1{
weight 80;
interface reth0.0 secondary-ip-address 2.2.2.3;
}
}
}
}
}

Now commit the configuration.

To view the IP monitoring status type the following command.

{primary:node0}
root@SRXNODE01> show chassis cluster ip-monitoring status redundancy-group 1
node0:
--------------------------------------------------------------------------
 
Redundancy group: 1
 
IP address        Status        Failure count  Reason
2.2.2.1           reachable       0            n/a
 
node1:
--------------------------------------------------------------------------
 
Redundancy group: 1
 
IP address        Status        Failure count  Reason
2.2.2.1           reachable       0            n/a

As you can see node 0 and node 1 is reachable. Now, in our scenario, if the primary Internet link between switch and ISP fails, then node1 will become primary for the chassis cluster and the Internet traffic will now be sent by node 1 via secondary Internet link. In this way you can configure IP monitoring in SRX Cluster depending upon your scenario.

For more information visit Juniper.net,




The following two tabs change content below.
Bipin is a freelance Network and System Engineer with expertise on Cisco, Juniper, Microsoft, VMware, and other technologies. You can hire him on UpWork. Bipin enjoys writing articles and tutorials related to Network technologies. Some of his certifications are, MCSE:Messaging, JNCIP-SEC, JNCIS-ENT, and others.

Latest posts by Bipin (see all)

scroll to top