Hi,
2 SRX100's in a cluster. (IP addresses obfuscated in the following config.)
The problem I have is that the SRX doesn't respond to ARP requests for 109.3.4.88 from the upstream router (109.3.4.65), only 109.3.4.92. I also tried a simpler config with no proxy ARP and two IPs on the external interface (so basically just having the IPs 109.3.4.88 and 109.3.4.92) on the external interface just to see what happens. Again, the SRX cluster only ever responds to ARP requests on one of the IPs.
Any ideas? Have I just made a simple config mistake? (I'm a SRX noob, so quite probably!)
TIA
Mark
## Last commit: 2016-10-25 17:25:53 UTC by root
version 12.1X44.5;
groups {
node0 {
system {
host-name companysrx01;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.1.11/24;
}
}
}
}
}
node1 {
system {
host-name companysrx02;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 192.168.1.12/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password "blah"; ## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface fxp0.0;
}
}
}
}
chassis {
cluster {
reth-count 2;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
fe-0/0/0 weight 255;
fe-0/0/1 weight 255;
fe-1/0/0 weight 255;
fe-1/0/1 weight 255;
}
}
}
}
interfaces {
fe-0/0/0 {
fastether-options {
redundant-parent reth0;
}
}
fe-0/0/1 {
fastether-options {
redundant-parent reth1;
}
}
fe-1/0/0 {
fastether-options {
redundant-parent reth0;
}
}
fe-1/0/1 {
fastether-options {
redundant-parent reth1;
}
}
fab0 {
fabric-options {
member-interfaces {
fe-0/0/5;
}
}
}
fab1 {
fabric-options {
member-interfaces {
fe-1/0/5;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 109.3.4.92/27;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.201.1.253/24 {
arp 10.201.1.12 multicast-mac 03:bf:0a:c9:01:0c;
}
}
}
}
}
routing-options {
static {
route 10.1.1.0/24 next-hop 10.201.1.1;
route 0.0.0.0/0 next-hop 109.3.4.65;
}
}
security {
address-book {
global {
address companysmtp01-int 10.201.1.15/32;
address companysmtp01-ext 109.3.4.88/32;
address companywap01-ext 109.3.4.88/32;
address companywap01-int 10.201.1.16/32;
address companysum01-int 10.201.1.1/32;
address companyuranlb-ext 109.3.4.92/32;
address companyuranlb-int 10.201.1.12/32;
}
}
nat {
source {
rule-set rs-src-nat-from-zone-orange {
from zone orange;
to zone red;
# Host-hide outbound traffic
rule src-nat-outbound-all {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set rs-static-nat-from-zone-red {
from zone red;
rule static-nat-in-companywap01-http {
match {
destination-address-name companywap01-ext;
destination-port 80;
}
then {
static-nat {
prefix-name {
companywap01-int;
mapped-port 80;
}
}
}
}
rule static-nat-in-companywap01-https {
match {
destination-address-name companywap01-ext;
destination-port 443;
}
then {
static-nat {
prefix-name {
companywap01-int;
mapped-port 443;
}
}
}
}
rule static-nat-in-companysmtp01-smtp {
match {
destination-address-name companysmtp01-ext;
destination-port 25;
}
then {
static-nat {
prefix-name {
companysmtp01-int;
mapped-port 25;
}
}
}
}
rule static-nat-in-companywap01-49443 {
match {
destination-address-name companywap01-ext;
destination-port 49443;
}
then {
static-nat {
prefix-name {
companywap01-int;
mapped-port 49443;
}
}
}
}
rule static-nat-in-companyuranlb-https {
match {
destination-address-name companyuranlb-ext;
destination-port 443;
}
then {
static-nat {
prefix-name {
companyuranlb-int;
mapped-port 443;
}
}
}
}
}
}
proxy-arp {
interface reth0.0 {
address {
109.3.4.88/32;
}
}
}
}
policies {
from-zone red to-zone orange {
policy inbound-internet-companysmtp01 {
match {
source-address any;
destination-address companysmtp01-int;
application junos-smtp;
}
then {
permit;
}
}
policy inbound-internet-companywap01 {
match {
source-address any;
destination-address companywap01-int;
application [ junos-http junos-https custom-49443 ];
}
then {
permit;
}
}
policy inbound-internet-companyuranlb {
match {
source-address any;
destination-address companyuranlb-int;
application junos-https;
}
then {
permit;
}
}
}
from-zone orange to-zone red {
policy outbound-permit-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone orange {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
reth1.0;
}
}
security-zone red {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
reth0.0;
}
}
}
}
applications {
application custom-49443 {
protocol tcp;
destination-port 49443;
}
}
{primary:node0}
root@companysrx01>