Juniper SRX management interface

Updated to include IPv6

I got the opportunity to deploy some HA SRX clusters, and decided to make use of the management interface.

All the “through traffic” would go through a virtual-router, so this was the only access for the device itself. The setup seemed pretty straight forward, but I ran into an odd issue. While I could ping the master-only IP, I couldn’t connect to the master-only IP via SSH. More acurately, I couldn’t login. SSH would prompt for a password, and then refuse to authenticate. Curiously, it would do this, even for accounts that were configured only to use ssh public keys.

Configuration Snips

What did my configuration look like? Here are the relevant snips:

Groups statements:

set groups node0 system host-name srx-1.cmhome
set groups node0 system backup-router 192.168.0.1
set groups node0 system backup-router destination 0.0.0.0/1
set groups node0 system backup-router destination 128.0.0.0/1
set groups node0 system inet6-backup-router 2001:db8::1
set groups node0 system inet6-backup-router destination ::/1
set groups node0 system inet6-backup-router destination 8000::/1
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.0.5/24 preferred
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.0.10/24 master-only
set groups node0 interfaces fxp0 unit 0 family inet6 address 2001:db8::5/64 preferred
set groups node0 interfaces fxp0 unit 0 family inet6 address 2001:db8::10/64 master-only
set groups node0 routing-options rib inet6.0 static route ::/0 next-hop 2001:db8::1
set groups node0 routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set groups node1 system host-name srx-2.cmhome
set groups node1 system backup-router 192.168.0.1
set groups node1 system backup-router destination 0.0.0.0/1
set groups node1 system backup-router destination 128.0.0.0/1
set groups node1 system inet6-backup-router 2001:db8::1
set groups node1 system inet6-backup-router destination ::/1
set groups node1 system inet6-backup-router destination 8000::/1
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.0.6/24 preferred
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.0.10/24 master-only
set groups node1 interfaces fxp0 unit 0 family inet6 address 2001:db8::5/64 preferred
set groups node1 interfaces fxp0 unit 0 family inet6 address 2001:db8::10/64 master-only
set groups node1 routing-options rib inet6.0 static route ::/0 next-hop 2001:db8::1
set groups node1 routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
set apply-groups "${node}";

System:

set system login user louisk full-name "Louis Kowolowski"
set system login user louisk uid 8060
set system login user louisk class super-user

Interfaces:

set interfaces ge-0/0/6 description "ex4200-1 ge-0/0/35"
set interfaces ge-0/0/6 gigether-options redundant-parent reth0
set interfaces ge-0/0/7 description "ex4200-2 ge-0/0/34"
set interfaces ge-0/0/7 gigether-options redundant-parent reth1
set interfaces ge-5/0/6 description "ex4200-1 ge-0/0/35"
set interfaces ge-5/0/6 gigether-options redundant-parent reth0
set interfaces ge-5/0/7 description "ex4200-2 ge-0/0/34"
set interfaces ge-5/0/7 gigether-options redundant-parent reth1
set interfaces fab0 fabric-options member-interfaces ge-0/0/3
set interfaces fab1 fabric-options member-interfaces ge-5/0/3
set interfaces reth0 description "backside"
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 192.168.20.10/24
set interfaces reth0 unit 0 family inet6 address 2001:db8:20::10/64
set interfaces reth1 description "frontside"
set interfaces reth1 redundant-ether-options redundancy-group 2
set interfaces reth1 unit 0 family inet address 192.168.30.33/24
set interfaces reth1 unit 0 family inet6 address 2001:db8:30::33/64

Virtual router statements:

set routing-instances ThroughTraffic instance-type virtual-router
set routing-instances ThroughTraffic interface reth0.0
set routing-instances ThroughTraffic interface reth1.0
set routing-instances ThroughTraffic routing-options rib ThroughTraffic.inet6.0 static route 0::0/0 next-hop 2001:db8:30::1
set routing-instances ThroughTraffic routing-options static route 0.0.0.0/0 next-hop 192.168.30.1

Everything was working normally, traffic passed through the virtual-router as expected, I could ssh to which ever management interface belonged to the master (expected behavior). I just couldn’t SSH to the master-only IP.

I spent quite a bit of time digging through Juniper docs, and forums, but everything appeared to be telling me to do just what I had done. I was fairly certain that the problem was not actually SSH, and that it was somehow related to my use of management interface(s) and the virtual-router for all of the traffic going through the box.

Solution

What I finally stumbled upon was this:

set groups node0 routing-options static route 0.0.0.0/0 next-hop 192.168.0.1;
set groups node0 routing-options static route 0.0.0.0/0 retain;
set groups node0 routing-options static route 0.0.0.0/0 no-readvertise;
set groups node0 routing-options rib inet6.0 static route ::/0 next-hop 2001:db8::1
set groups node0 routing-options rib inet6.0 static route ::/0 retain
set groups node0 routing-options rib inet6.0 static route ::/0 no-readvertise
set groups node1 routing-options static route 0.0.0.0/0 next-hop 192.168.0.1;
set groups node1 routing-options static route 0.0.0.0/0 retain;
set groups node1 routing-options static route 0.0.0.0/0 no-readvertise;
set groups node1 routing-options rib inet6.0 static route ::/0 next-hop 2001:db8::1
set groups node1 routing-options rib inet6.0 static route ::/0 retain
set groups node1 routing-options rib inet6.0 static route ::/0 no-readvertise

In addition to setting a static (default) route, this also tells the system to not advertise this route (if you’re doing dynamic routing), and to retain the route after the routing protocol process has shutdown.

In hind-sight, its obvious what I was missing. It was in fact related to doing all the routing through the virtual-router. There was no static route for the management interface(s) to use. All the documentation assumes you will have a static route as part of your global ‘routing-options’ statement block, but if you use a virtual-router for all the traffic, there is no reason to have one.

Once I got the static route statements added to the groups, and rebooted each node, everything worked as expected, including SSH to the master-only IP.

Footnotes and References