I recommend using a backup-router as well. -----Original Message----- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Walaa Abdel razzak Sent: Wednesday, March 23, 2011 1:19 AM To: Michael Lee; EXT - plu...@senetsy.ru Cc: juniper-nsp Subject: Re: [j-nsp] SRX650 Failover Test Issue
Hi Michael It already configured in a group. Also I was trying to telnet from directly connected ip. groups { node0 { system { host-name FW1; } interfaces { fxp0 { unit 0 { family inet { address 11.11.11.2/24; } } } } } node1 { system { host-name FW2; } interfaces { fxp0 { unit 0 { family inet { address 11.11.11.3/24; } } } } } } apply-groups "${node}"; BR, -----Original Message----- From: Michael Lee [mailto:fwis...@gmail.com] Sent: Wednesday, March 23, 2011 3:45 AM To: Pavel Lunin Cc: Walaa Abdel razzak; juniper-nsp Subject: Re: [j-nsp] SRX650 Failover Test Issue Sounds like the interface did not put into group, and should use fxp0 ip instead Regards -mike On Mar 22, 2011, at 12:05, Pavel Lunin <plu...@senetsy.ru> wrote: >> >> While testing the failover in SRX650 cluster. I have removed the >> control link between the primary and secondary. The secondary node >> went to ineligible mode. The secondry FW is still accessible through >> OoB interface. When I returned back the control link I couldn't reach >> the FW through OoB interface "ge-0/0/0". The only way to access the >> box is through console and found the secondary firewall is in disable mode. >> Then when I rebooted the whole firewall, it worked normally. Is it >> normal? And how to reach the secondary firewall remotely in case of >> control link flap? I have faced the same issue when removing the fab >> link. >> >> >> > Looks like a routing issue. Try to check it out with "show route a.b.c.d" > command, when you access the disabled box through the console port, > where a.b.c.d is IP address of the machine, you are trying to get > remote access form. Most probably it will show you something different > from a route pointing through fxp0. If this is the case, you need to > configure a backup router, which would make the disabled node (which > does not run rpd) to route packets to the management station through fxp0. > > http://www.juniper.net/techpubs/en_US/junos10.0/information-products/t > opic-collections/config-guide-system-basics/backup-router-configuring. > html > > BTW, next time you want the public to guess the solution for your > issue, try to be a bit more informative in providing basic troubleshooting > details. E. > g. instead of just saying "I couldn't reach the FW through OoB > interface "ge-0/0/0"", it would've been better to say something like > "I checked the whole path from my machine a.b.c.d/24 to the fxp0 > interface of the node1, which has address w.x.y.z/24 and… I see the > packets coming to the penultimate hop router, but the FW's fxp0 > interface, which is the next and last hop, does [not] respond to ARP > requests… Than I tried to ping my machine back from the FW with "ping > a.b.c.d interface fxp0", and got the following output… than I > performed a traceroute… I checked what comes to the > fxp0 interface with "monitor traffic interface fxp0" and saw…", etc. > > Otherwise, I'm afraid, this sort of gambling-style troubleshooting, in > which you ask us to help you, will not be much effective anyway. > Monte-Carlo is a good method but it's too slow in convergence. > > -- > Pavel > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp