Juniper SRX集群与AWS直接连接切换

Question

我们在集群模式下设置了两个SRX (345)，连接到AWS直接连接，每个SRX连接到本地接口上的一个AWS连接。SRX还可以作为两个Kemp负载平衡器的开关。

问题是，只有当流量来自连接到主SRX的AWS连接时，我才能到达Kemp负载平衡器。

从跟踪来看，ICMP似乎正在到达Kemps，但是SRX没有找到返回AWS的路由。

集群的配置：

set security forwarding-options family mpls mode flow-based

set groups node0 system host-name node0-router
set groups node0 interfaces fxp0 disable
set groups node1 system host-name node1-router
set groups node1 interfaces fxp0 disable
set apply-groups "${node}"

set interfaces fab0 fabric-options member-interfaces ge-0/0/6
set interfaces fab1 fabric-options member-interfaces ge-5/0/6
set interfaces swfab0 fabric-options member-interfaces ge-0/0/7
set interfaces swfab1 fabric-options member-interfaces ge-5/0/7

set chassis cluster control-link-recovery

set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 preempt
set chassis cluster reth-count 1

set interfaces irb unit 10 family inet address 172.31.0.1/24

set vlans V10-DATA vlan-id 10
set vlans V10-DATA l3-interface irb.10

set interfaces ge-0/0/0 description Kemp01:Port0
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members V10-DATA
set interfaces ge-5/0/0 description Kemp02:Port0
set interfaces ge-5/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-5/0/0 unit 0 family ethernet-switching vlan members V10-DATA

set interfaces ge-0/0/15 description "Direct Connect to your Amazon VPC or AWS Cloud A"
set interfaces ge-0/0/15 flexible-vlan-tagging
set interfaces ge-0/0/15 mtu 1522
set interfaces ge-0/0/15 gigether-options no-auto-negotiation
set interfaces ge-0/0/15 unit 101 vlan-id 101
set interfaces ge-0/0/15 unit 101 family inet mtu 1500
set interfaces ge-0/0/15 unit 101 family inet address 169.254.255.6/30

set interfaces ge-5/0/15 description "Direct Connect to your Amazon VPC or AWS Cloud B"
set interfaces ge-5/0/15 flexible-vlan-tagging
set interfaces ge-5/0/15 mtu 1522
set interfaces ge-5/0/15 gigether-options no-auto-negotiation
set interfaces ge-5/0/15 unit 100 vlan-id 100
set interfaces ge-5/0/15 unit 100 family inet mtu 1500
set interfaces ge-5/0/15 unit 100 family inet address 169.254.255.2/30

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces irb.10
set security zones security-zone trust interfaces irb.11
set security zones security-zone trust interfaces ge-5/0/15.100
set security zones security-zone trust interfaces ge-0/0/15.101

set security policies from-zone trust to-zone trust policy permit-all match source-address any
set security policies from-zone trust to-zone trust policy permit-all match destination-address any 
set security policies from-zone trust to-zone trust policy permit-all match application any
set security policies from-zone trust to-zone trust policy permit-all then permit

set policy-options policy-statement EXPORT-PREFIXES term PREFIXES from route-filter 172.31.0.0/18 exact
set policy-options policy-statement EXPORT-PREFIXES term PREFIXES then accept
set policy-options policy-statement EXPORT-PREFIXES term REJECT then reject

set protocols bgp group EBGP type external
set protocols bgp group EBGP peer-as 64513
set protocols bgp group EBGP export EXPORT-PREFIXES
set protocols bgp group EBGP neighbor 169.254.255.1 local-address 169.254.255.2
set protocols bgp group EBGP neighbor 169.254.255.5 local-address 169.254.255.6

set routing-options autonomous-system 64514
set routing-options static route 172.31.0.0/18 discard

更新

我还配置了：

set protocols l2-learning global-mode switching
set protocols rstp bridge-priority 4k
set protocols rstp interface all

show chassis cluster control-plane statistics的输出：

Control link statistics:
    Control link 0:
        Heartbeat packets sent: 1634
        Heartbeat packets received: 1506
        Heartbeat packet errors: 0
Fabric link statistics:
    Child link 0
        Probes sent: 659
        Probes received: 659
    Child link 1
        Probes sent: 0
        Probes received: 0

show chassis cluster ethernet-switching interfaces的输出是：

swfab0:

    Name               Status      
    ge-0/0/7           up         
swfab1:

    Name               Status      
    ge-5/0/7           up   

show route terse的输出：

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A V Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* ? 169.254.255.0/30   D   0                       >ge-5/0/15.100
* ? 169.254.255.2/32   L   0                        Local
* ? 172.18.0.0/16      B 170        100                             64513 I
  unverified                                       >169.254.255.1
* ? 172.19.0.0/16      B 170        100                             64513 I
  unverified                                       >169.254.255.1
* ? 172.31.0.0/18      S   5                        Discard
* ? 172.31.0.0/24      D   0                       >irb.10      
* ? 172.31.0.1/32      L   0                        Local

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

A V Destination        P Prf   Metric 1   Metric 2  Next hop        AS path
* ? ff02::2/128        I   0                        MultiRecv

Answer 1

您的配置看起来很好--您能确认您的swfab接口彼此连接吗？节点0的0/0/7修补为节点1的5/0/7？

show chassis cluster ethernet-switching interfaces

应该在两个端口上显示/向上显示