Showing results for 
Search instead for 
Did you mean: 

SA6000 Clustering -- can i connect two nodes directly independent of the internal public interface?


SA6000 Clustering -- can i connect two nodes directly independent of the internal public interface?


As i read, SA6000 has three ports. Internal,external and Management.

I miss a port for clustering. I would like to connect the two clusternodes directly with a cable.

"Normally" the cluster sync information has to travel over the internal ports between the nodes.

But as i know from expirience, "hard network conditions" can disturb the whole cluster functionallity.

So i would have a better feeling if i could seperate cluster sync traffic from the user data traffic.

Do you have expirience in cluster logic with SA6000? How stable does this work?

Respected Contributor

Re: SA6000 Clustering -- connect two nodes directly independent of the internal interface?

Can you explain further what you mean, please? Are you trying to plug the management port from IVE1 to the management port of IVE2 and use the cluster in that manner?

If I understood correctly, that may be possible, theoretically, but if you are doing any type of SNMP monitoring, FTP/SCP or syslog archiving, or any other management functions as described in the admin guide, you will probably lose that ability since when the management port is enabled, those items are only available via the management port.

Re: SA6000 Clustering --

Yes, thats what i mean. A direct connection over a cable between the two nodes.


I had serious problems with BOTH nodes in Active/Passive Cluster occuring from "burst of traffic" on the router, and this triggered a bug in ive cluster subsystem. The whole cluster went to hell until the network problems on the router were fixed. On the same router we run Cisco VPN Concentrators, which had no problem with the hard network conditions.

So i would feel better if i could connect both nodes directly, independent of user traffic ports.

I hoped this could be possible with SA6000 as this seems to be the "highend" SA Solution?

At the moment i run a SA2000 Cluster, but plan to upgrade.

Super Contributor

Re: SA6000 Clustering --

I assume the burst of traffic that caused your outage was some kind of broadcast storm. What most companies do to reduce these kinds of failures is to create a seperate management VLAN on your network.

A seperate vlan/subnet will insulate these ports from bursts of traffic and other things that can create and outage. You'll also be able to get to these address from your internal network. This should be pretty easy to accomplish, if you have questions let me know.


Re: SA6000 Clustering --

Well, its nice to have a management port for security reasons - management of the appliances can be totally separated from usertraffic.

But (!) when the cluster sync information goes over the usertraffic-interfaces (what is the default design of juniper ive sa), then burst of traffic (like broadcaststorm) can disturb the whole cluster functionality. And exactly that happened to me.

Thats the reason why i would like to have a dedicated physical connection between the two nodes. One cable, from node to node, and nothing between.

Super Contributor

Re: SA6000 Clustering --

Why not segregate the segregate internal interfaces into a separate vlan then. As long as you can route to it from the internal network it should cause any kind of issue to do this. When you think about it, this burst of traffic is effecting much more then just cluster sync information. It's also affecting user traffic flow, in and out of your network. If that burst is a storm that happens often, then it probably makes sense to segregate the traffic. If it is a burst of traffic going out the internal interface to or from users then a separate vlan wont help.

The 6000 does have a cluster timeout multiplier under advance cluster settings. The default value is 2, but you can set it all the way up to 20. Perhaps tweaking this could hold down the box during busy times and not cause a fail-over.

If the IVE uses the internal interfaces to exchange state and sync information then there really isnt much you can do as far as making that completely separate. You would essentially be plugged a cross-over cable between the 2 which would prevent them from talking to the internal network.

Juniper should provide the option of exchanging sync information over the management interfaces, or provide a separate sync interface altogether.

Super Contributor

well another thing i found is that if you have the cluste...

well another thing i found is that if you have the clustering enabled as active passive or even active active and have synchronize log messages between the cluster memebers that cuases more problems as well. I have had the box crash multiple times with diffrent reasons but all under load of around 1700-1800 users.