How to achieve redundancy using Dynamic Routing Protocols on an Individual Physical Interface in an SRX Chassis Cluster Environment

This article shows how to resume traffic during a failover in a chassis cluster environment when individual interfaces (xe or ge or fe) are used instead of standard cluster interfaces (reth).

The problem is shown in the topology below. It is based on the following assumptions:

  • The L-3 links on Router 1 and 3 are terminated on node0 only.
  • The L-3 links on Router 2 and 4 are terminated on node1 only.
  • The Routers are running dynamic routing protocols.
  • The primary path between Host-1 and Host-2 is as follows:
    R1—– NODE-0 ——-R3
  • If node-0 goes down, routing should change to the following path:
    R2—– NODE-1 ——-R4
  • After node0 fails, node1 takes over the ownership of RG-0 (the control plane), and routing reconverges — but the sessions involving individual interfaces of node0 are no longer available. This will cause any session-sensitive traffic (especially TCP) to fail, and users will be required to restart the application.

How to achieve redundancy using Dynamic Routing Protocols on an Individual Physical Interface in an SRX Chassis Cluster Environment

The 5-tuple information (source IP address, destination IP address, source port number, destination port number, and protocol) used to create sessions, along with interfaces, is synchronized to node1.

The session table scan on node1 during Routing-Engine failover from node0 flushes the entries of sessions with individual interfaces that no longer exist due to the failure of node0.

Even after the routing protocols converge, any session-sensitive communication (such as TCP) between the end hosts remains broken and needs to be restarted.

The solution below shows how to recover sessions when a node fails. The process behind the recovery is as follows:

  • On losing node0, the dynamic routing protocols reconverge.
  • To continue forwarding the traffic, it needs to use the same session before and after the failure of node0.
  • In order to use the same session on node1, ensure the following:
  1. The session was established using a reth interface.
  2. The corresponding reth interfaces (on both devices) are in the same security zone.
  • The interfaces are configured as follows:

Note: The interfaces reth0 and reth2 are active on node0, whereas reth1 and reth3 are active on node1.

  • For simplicity, all interfaces are bound to the same zone.
  • You can create multiple zones, but you must ensure that interfaces facing R1 and R2 are bound to the same zone, while interfaces pointing toward R3 and R4 are part of the same zone.
  • Preempt is configured on each RG. Preemption enables the associated redundancy group (and reth interfaces) to fail back to the original node, bring up the interfaces, and reestablish the protocol adjacency after node0 recovers.

Note: This solution does not cover Z-mode traffic flow.


The sample configuration on each node is below. Modify this solution as needed based on your requirements.

Cluster Devices


About the author


Leave a Comment