SRX Services Gateway
Highlighted
SRX Services Gateway

Traffic entering on node0 and exiting on node1

a month ago

we have a cluster SRX1500, all looks good, but traffic is entering node0 but exiting on node1. 

 

Anyone any idea why this is happening?

Here is example:

 

node0:
--------------------------------------------------------------------------

Session ID: 1109263, Policy name: default-permit/27, State: Active, Timeout: 1762, Valid
In: 10.240.22.154/25791 --> 10.24.11.11/1636;tcp, Conn Tag: 0x0, If: st0.2, Pkts: 0, Bytes: 0,
Out: 10.24.11.11/1636 --> 10.28.254.30/32955;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 10591, Bytes: 13397661,

 

node1:
--------------------------------------------------------------------------

Session ID: 370264, Policy name: default-permit/27, State: Backup, Timeout: 1762, Valid
In: 10.240.22.154/25791 --> 10.24.11.11/1636;tcp, Conn Tag: 0x0, If: st0.2, Pkts: 5911, Bytes: 311978,
Out: 10.24.11.11/1636 --> 10.28.254.30/32955;tcp, Conn Tag: 0x0, If: reth0.0, Pkts: 0, Bytes: 0,

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: Traffic entering on node0 and exiting on node1

a month ago

Hi thereddevilguy,

 

Can you provide me the output of "show chassis cluster status"?

 

Looks like RG1+ is Active on a different Node.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Traffic entering on node0 and exiting on node1

a month ago

Thank you for reply Sir.

From cluster perspective it all looks fine:

Cluster ID: 1
Node   Priority Status               Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  100      primary              no      no       None
node1  1        secondary            no      no       None

Redundancy group: 1 , Failover count: 1
node0  100      primary              yes     no       None
node1  0        secondary            yes     no       IF

Redundancy group: 2 , Failover count: 1
node0  100      primary              yes     no       None
node1  0        secondary            yes     no       IF
Highlighted
SRX Services Gateway

Re: Traffic entering on node0 and exiting on node1

a month ago

Hello,

 

Generally, the Active session is created on the node where the traffic is exiting and in this case, it is Node 0. So, I think the traffic is coming via st0.2 in Node 1, traversing through the fabric link and exiting via reth0.0 of Node 0. This is my assumption.

 

Can you tell me the underlying interface where the st0.2 is bound? Also, provide me with the following output.

 

user@host> show interfaces terse | match inet

user@host> show chassis cluster interfaces



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Traffic entering on node0 and exiting on node1

[ Edited ]
a month ago

Hello,

Yes sure,
I am thinking maybe to disable cluster, maybe some unexpected behavior, from configuration point of view, I am not seeing anything wrong.


Thank you for support.

 

> show interfaces terse | match inet
ge-0/0/0.0              up    up   inet     192.168.20.1/24
ge-0/0/2.0              up    up   inet     192.168.22.1/24
ge-0/0/3.0              up    down inet
ge-0/0/4.0              up    up   inet     192.168.24.1/24
ge-0/0/5.0              up    up   inet     
ge-0/0/6.0              up    up   inet     192.168.26.1/24
ge-0/0/8.0              up    up   inet     192.168.28.1/24
ge-0/0/10.0             up    up   inet     192.168.30.1/24
ge-0/0/13.0             up    up   inet     10.254.0.26/30
ge-7/0/4.0              up    up   inet     192.168.44.1/24
ge-7/0/8.0              up    up   inet     192.168.48.1/24
ge-7/0/13.0             up    up   inet     10.254.0.30/30
em0.0                   up    up   inet     129.16.0.1/2
em1.32768               up    up   inet     192.168.1.2/24
fab0.0                  up    up   inet     30.17.0.200/24
fab1.0                  up    up   inet     30.18.0.200/24
fxp0.0                  up    up   inet     192.168.60.2/24
lo0.0                   up    up   inet     172.100.1.1         --> 0/0
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
reth0.0                 up    up   inet     10.28.254.2/26
reth1.0                 up    up   inet     172.28.254.2/26
st0.0                   up    up   inet     169.254.0.0/31
st0.1                   up    up   inet     169.254.0.2/31
st0.2                   up    up   inet     169.254.0.4/31
st0.3                   up    up   inet     169.254.0.6/31
st0.4                   up    up   inet     169.254.0.8/31
st0.5                   up    up   inet     169.254.0.10/31
st0.6                   up    up   inet     169.254.4.4/31
st0.7                   up    up   inet     169.254.4.6/31
st0.8                   up    up   inet
st0.9                   up    up   inet
st0.10                  up    up   inet     169.254.4.8/31
st0.11                  up    up   inet     169.254.4.10/31

{primary:node0}
> show chassis cluster interfaces
Control link status: Up

Control interfaces:
    Index   Interface   Monitored-Status   Internal-SA   Security
    0       em0         Up                 Disabled      Disabled

Fabric link status: Up

Fabric interfaces:
    Name    Child-interface    Status                    Security
                               (Physical/Monitored)
    fab0    ge-0/0/9           Up   / Up                 Disabled
    fab0
    fab1    ge-7/0/9           Up   / Up                 Disabled
    fab1

Redundant-ethernet Information:
    Name         Status      Redundancy-group
    reth0        Up          1
    reth1        Up          2

Redundant-pseudo-interface Information:
    Name         Status      Redundancy-group
    lo0          Up          0

Interface Monitoring:
    Interface         Weight    Status                    Redundancy-group
                                (Physical/Monitored)
    ge-7/0/11         255       Down  /  Down             1
    ge-0/0/11         255       Up  /  Up                 1
    ge-7/0/7          255       Down  /  Down             2
    ge-0/0/7          255       Up  /  Up                 2

{primary:node0}
>

 

 

Highlighted
SRX Services Gateway

Re: Traffic entering on node0 and exiting on node1

a month ago

Hi,

 

Thank you for the output.

 

Can you tell me the external interface for this tunnel - st0.2?

 

This setup is actually not an issue but the thing is you need to identify where the traffic is coming from? The source NAT is happening on the traffic and the traffic is coming into the SRX via VPN. If the VPN external interface is active on Node 1, in this case, I suspect standalone interface(ge-7/0/*), then traffic will come on Node 1.

 

You can disable the cluster on secondary node and can check but if the VPN is actually using secondary node's physical interface then your VPN will go down and stays that way.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Feedback