Updated to include IPv6
I got the opportunity to deploy some HA SRX clusters, and decided to make use of the management interface.
All the “through traffic” would go through a virtual-router, so this was the only access for the device itself. The setup seemed pretty straight forward, but I ran into an odd issue. While I could ping the master-only IP, I couldn’t connect to the master-only IP via SSH. More acurately, I couldn’t login. SSH would prompt for a password, and then refuse to authenticate. Curiously, it would do this, even for accounts that were configured only to use ssh public keys.
Configuration Snips
What did my configuration look like? Here are the relevant snips:
Groups statements:
1set groups node0 system host-name srx-1.cmhome
2set groups node0 system backup-router 192.168.0.1
3set groups node0 system backup-router destination 0.0.0.0/1
4set groups node0 system backup-router destination 128.0.0.0/1
5set groups node0 system inet6-backup-router 2001:db8::1
6set groups node0 system inet6-backup-router destination ::/1
7set groups node0 system inet6-backup-router destination 8000::/1
8set groups node0 interfaces fxp0 unit 0 family inet address 192.168.0.5/24 preferred
9set groups node0 interfaces fxp0 unit 0 family inet address 192.168.0.10/24 master-only
10set groups node0 interfaces fxp0 unit 0 family inet6 address 2001:db8::5/64 preferred
11set groups node0 interfaces fxp0 unit 0 family inet6 address 2001:db8::10/64 master-only
12set groups node0 routing-options rib inet6.0 static route ::/0 next-hop 2001:db8::1
13set groups node0 routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
14set groups node1 system host-name srx-2.cmhome
15set groups node1 system backup-router 192.168.0.1
16set groups node1 system backup-router destination 0.0.0.0/1
17set groups node1 system backup-router destination 128.0.0.0/1
18set groups node1 system inet6-backup-router 2001:db8::1
19set groups node1 system inet6-backup-router destination ::/1
20set groups node1 system inet6-backup-router destination 8000::/1
21set groups node1 interfaces fxp0 unit 0 family inet address 192.168.0.6/24 preferred
22set groups node1 interfaces fxp0 unit 0 family inet address 192.168.0.10/24 master-only
23set groups node1 interfaces fxp0 unit 0 family inet6 address 2001:db8::5/64 preferred
24set groups node1 interfaces fxp0 unit 0 family inet6 address 2001:db8::10/64 master-only
25set groups node1 routing-options rib inet6.0 static route ::/0 next-hop 2001:db8::1
26set groups node1 routing-options static route 0.0.0.0/0 next-hop 192.168.0.1
27set apply-groups "${node}";
System:
1set system login user louisk full-name "Louis Kowolowski"
2set system login user louisk uid 8060
3set system login user louisk class super-user
Interfaces:
1set interfaces ge-0/0/6 description "ex4200-1 ge-0/0/35"
2set interfaces ge-0/0/6 gigether-options redundant-parent reth0
3set interfaces ge-0/0/7 description "ex4200-2 ge-0/0/34"
4set interfaces ge-0/0/7 gigether-options redundant-parent reth1
5set interfaces ge-5/0/6 description "ex4200-1 ge-0/0/35"
6set interfaces ge-5/0/6 gigether-options redundant-parent reth0
7set interfaces ge-5/0/7 description "ex4200-2 ge-0/0/34"
8set interfaces ge-5/0/7 gigether-options redundant-parent reth1
9set interfaces fab0 fabric-options member-interfaces ge-0/0/3
10set interfaces fab1 fabric-options member-interfaces ge-5/0/3
11set interfaces reth0 description "backside"
12set interfaces reth0 redundant-ether-options redundancy-group 1
13set interfaces reth0 unit 0 family inet address 192.168.20.10/24
14set interfaces reth0 unit 0 family inet6 address 2001:db8:20::10/64
15set interfaces reth1 description "frontside"
16set interfaces reth1 redundant-ether-options redundancy-group 2
17set interfaces reth1 unit 0 family inet address 192.168.30.33/24
18set interfaces reth1 unit 0 family inet6 address 2001:db8:30::33/64
Virtual router statements:
1set routing-instances ThroughTraffic instance-type virtual-router
2set routing-instances ThroughTraffic interface reth0.0
3set routing-instances ThroughTraffic interface reth1.0
4set routing-instances ThroughTraffic routing-options rib ThroughTraffic.inet6.0 static route 0::0/0 next-hop 2001:db8:30::1
5set routing-instances ThroughTraffic routing-options static route 0.0.0.0/0 next-hop 192.168.30.1
Everything was working normally, traffic passed through the virtual-router as expected, I could ssh to which ever management interface belonged to the master (expected behavior). I just couldn’t SSH to the master-only IP.
I spent quite a bit of time digging through Juniper docs, and forums, but everything appeared to be telling me to do just what I had done. I was fairly certain that the problem was not actually SSH, and that it was somehow related to my use of management interface(s) and the virtual-router for all of the traffic going through the box.
Solution
What I finally stumbled upon was this:
1set groups node0 routing-options static route 0.0.0.0/0 next-hop 192.168.0.1;
2set groups node0 routing-options static route 0.0.0.0/0 retain;
3set groups node0 routing-options static route 0.0.0.0/0 no-readvertise;
4set groups node0 routing-options rib inet6.0 static route ::/0 next-hop 2001:db8::1
5set groups node0 routing-options rib inet6.0 static route ::/0 retain
6set groups node0 routing-options rib inet6.0 static route ::/0 no-readvertise
7set groups node1 routing-options static route 0.0.0.0/0 next-hop 192.168.0.1;
8set groups node1 routing-options static route 0.0.0.0/0 retain;
9set groups node1 routing-options static route 0.0.0.0/0 no-readvertise;
10set groups node1 routing-options rib inet6.0 static route ::/0 next-hop 2001:db8::1
11set groups node1 routing-options rib inet6.0 static route ::/0 retain
12set groups node1 routing-options rib inet6.0 static route ::/0 no-readvertise
In addition to setting a static (default) route, this also tells the system to not advertise this route (if you’re doing dynamic routing), and to retain the route after the routing protocol process has shutdown.
In hind-sight, its obvious what I was missing. It was in fact related to doing all the routing through the virtual-router. There was no static route for the management interface(s) to use. All the documentation assumes you will have a static route as part of your global ‘routing-options’ statement block, but if you use a virtual-router for all the traffic, there is no reason to have one.
Once I got the static route statements added to the groups, and rebooted each node, everything worked as expected, including SSH to the master-only IP.
Comments