> > While testing the failover in SRX650 cluster. I have removed the control > link between the primary and secondary. The secondary node went to > ineligible mode. The secondry FW is still accessible through OoB > interface. When I returned back the control link I couldn't reach the FW > through OoB interface "ge-0/0/0". The only way to access the box is > through console and found the secondary firewall is in disable mode. > Then when I rebooted the whole firewall, it worked normally. Is it > normal? And how to reach the secondary firewall remotely in case of > control link flap? I have faced the same issue when removing the fab > link. > > > Looks like a routing issue. Try to check it out with "show route a.b.c.d" command, when you access the disabled box through the console port, where a.b.c.d is IP address of the machine, you are trying to get remote access form. Most probably it will show you something different from a route pointing through fxp0. If this is the case, you need to configure a backup router, which would make the disabled node (which does not run rpd) to route packets to the management station through fxp0.
http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-system-basics/backup-router-configuring.html BTW, next time you want the public to guess the solution for your issue, try to be a bit more informative in providing basic troubleshooting details. E. g. instead of just saying "I couldn't reach the FW through OoB interface "ge-0/0/0"", it would've been better to say something like "I checked the whole path from my machine a.b.c.d/24 to the fxp0 interface of the node1, which has address w.x.y.z/24 and… I see the packets coming to the penultimate hop router, but the FW's fxp0 interface, which is the next and last hop, does [not] respond to ARP requests… Than I tried to ping my machine back from the FW with "ping a.b.c.d interface fxp0", and got the following output… than I performed a traceroute… I checked what comes to the fxp0 interface with "monitor traffic interface fxp0" and saw…", etc. Otherwise, I'm afraid, this sort of gambling-style troubleshooting, in which you ask us to help you, will not be much effective anyway. Monte-Carlo is a good method but it's too slow in convergence. -- Pavel _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
