Discussion:
[j-nsp] Juniper SRX 58K cluster IPv6 enable
Imran Kamal
2018-02-20 10:10:04 UTC
Permalink
Hi all,

Can anyone please confirm once I enable "IPv6 Flow mode", do I need to
reboot both SRX 58K boxes at the time or one after another?

The firewall cluster in production and we can't afford any outage window at
the moment, in the Juniper KB there are no mention of rebooting devices
sequence while in A/P cluster.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB25697

Appreciate your feedback, please.

Regards,

Imran
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Ola Thoresen
2018-02-20 10:59:33 UTC
Permalink
Post by Imran Kamal
Hi all,
Can anyone please confirm once I enable "IPv6 Flow mode", do I need to
reboot both SRX 58K boxes at the time or one after another?
The firewall cluster in production and we can't afford any outage window at
the moment
I have not tested it on 58k spcifically, but on other SRX-clusters, and
you need to reboot both nodes.

However, you can reboot them one after each other, and ensure that you
failover all redundancy groups gracefully between the reboots.

So I would suggest enabling IPv6 flow mode, then reboot the secondary
node. After it comes back up, failover all redundancy groups to the
already rebooted node. Then reboot the former primary node.

Then you can decide whether you want to fail back to the old primary
again after the second reboot.

But no matter what you do - I would do this in a service window. It
SHOULD work without any traffic interruptions, but better to be safe
than sorry.


/Ola (T)

_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Brian Johnson
2018-02-20 16:54:57 UTC
Permalink
From my experience... Any change of the mode on a protocol requires a reboot of JunOS. Correct?

- Brian J.

Sent from my iPhone
Please excuse typos
Post by Imran Kamal
Hi all,
Can anyone please confirm once I enable "IPv6 Flow mode", do I need to
reboot both SRX 58K boxes at the time or one after another?
The firewall cluster in production and we can't afford any outage window at
the moment
I have not tested it on 58k spcifically, but on other SRX-clusters, and you need to reboot both nodes.
However, you can reboot them one after each other, and ensure that you failover all redundancy groups gracefully between the reboots.
So I would suggest enabling IPv6 flow mode, then reboot the secondary node. After it comes back up, failover all redundancy groups to the already rebooted node. Then reboot the former primary node.
Then you can decide whether you want to fail back to the old primary again after the second reboot.
But no matter what you do - I would do this in a service window. It SHOULD work without any traffic interruptions, but better to be safe than sorry.
/Ola (T)
_______________________________________________
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Imran Kamal
2018-02-20 15:19:40 UTC
Permalink
Marvelous, thank you all.
Oh I should also note, I've done this maneuver on both SRX-5800 and
SRX-3600 platforms that were in-production.
The same graceful reboots are also allowed when enabling
ExpressPath/Services-Offload, should you ever need it.
-Nicholas
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Loading...