Always Geeky

A Juniper SRX cluster configuration does not allow access to the secondary device, even by out-of-band management, but default. This is expected behaviour, as the non-primary device in a cluster will not start the router process. So, unless your out-of-band management gives you access from the same layer 2 network, the secondary SRX will not respond to SSH/HTTPS

To resolve this, you need set a backup-router. A backup-router is a static route which is active before the routing engine starts. Typically, this is useful while the SRX is booting, as it allows BOOTSTRAP or PXE based boots, but presents a problem in cluster.


root@srx-secondary> show route
error: the routing subsystem is not running


Fix this problem, with the following command:

set groups node1 system backup-router 172.29.0.1 destination 0.0.0.0/0

This will appear in the groups configuration as such:

node0 {
    system {
        host-name srx-primary;
    }
    interfaces {
        fxp0 {
            unit 0 {
                family inet {
                    address 172.29.0.100/24;
                }
            }
        }
    }
}

node1 {
    system {
        host-name srx-secondary;
        backup-router 172.29.0.1 destination 0.0.0.0/0;
    }
    interfaces {
        fxp0 {
            unit 0 {
                family inet {
                    address 172.29.0.101/24
                }
            }
        }
    }
}

You will now have SSH/HTTPS access to your secondary device. It is a good idea to also add a backup-router to the primary device, in case the router daemon on the primary crashes or fails.