Understanding Cluster Mode

The factory-default configuration does not include HA configuration. To enable HA, please remove any configurations on the physical interfaces used by HA. The two hosts constituting a chassis cluster must have identical configuration. Configure one cluster to node 0 and the other to node 1.

The TOE has a dedicated fxp0 interface for HA management. The interface for HA control link must be between em0 on each device. The Administrator can define the fabric interface. The cluster is now defined and set up by the Administrator. The two devices constituting a chassis cluster have identical cluster-id but different node ID as one host is on node 0 and the second cluster is on node 1.

The node 1 renumbers its interfaces by adding the total number of system FPCs to the original FPC number of the interface. The fabric interface remains Administrator-defined.

With L2 HA link encryption tunnel, any Security Sensitive Parameters (Critical Security Parameters) exchanged over the control link between the two chassis in cluster mode are protected using IPsec. The configuration information and IKE HA messages that pass through the chassis cluster link from the primary node to the secondary node are protected from active and passive eavesdropping by using IPsec for internal communication between nodes. An attacker cannot gain privilege access or observe traffic, without the internal IPsec key.

The Chassis Cluster is configured according to the following guidance: Configuring Chassis Clustering on SRX Series Devices.

The configuration of the Chassis Cluster is to be carried out considering the following:

• The Chassis Cluster HA control link should always be encrypted with IPsec. The guidance for setting up the control link encryption is given in Chassis Cluster HA Control Link Encryption.

• The cryptographic algorithms used for encrypting the IPsec HA link should adhere to the algorithms used for TOE to external endpoint IPsec SAs, as per Chapter 9 of this guidance.