Prepare Your Environment for Multinode High Availability Deployment
This topic provides details to prepare the environment for Multinode High Availability deployment.
- Device Model
- Software Version
- Latest Junos IKE Package
- Software Licenses
- Network Accessibility
- IP Address Consideration
Device Model
In Multinode High Availability, you must use the same SRX Series Firewall model as your nodes. For example, if you use the SRX5600 as one node, you must use another SRX5600 as the other node
In case of the SRX5000 line of devices, ensure that SPCs, NPCs, and IOCs have the same slot placement and type.
We support Multinode High Availability on the following devices:
- SRX5800, SRX5600, SRX5400 with the following components running Junos OS Release 20.4R1 or later:
-
-
Services Processing Card SPC3
-
I/O card IOC3
-
Switch Control Boards SCB3 and SCB4
-
Routing Engine RE3
-
- SRX4600, SRX4200, SRX4100, and SRX1500 running Junos OS Release 22.3R1 or later
- SRX2300 and SRX1600 running Junos OS Release 23.4R1 or later
- SRX4300 running Junos OS Release 24.2R1 or later
- vSRX Virtual Firewall running Junos OS Release 22.3R1 or later
Software Version
Install the compatible version of Junos OS on the participating security devices.
Latest Junos IKE Package
You must install IKE package for enabling ICL encryption in Multinode High Availability solution.
By default, when your SRX Series Firewall boots up, the legacy IKE architecture is executed. To enable the new IKE architecture, you must install the new Junos IKE package. This is an optional package included in the Junos OS software download image.
Use the following command to install the IKE package:
user@host> request system software add optional://junos-ike.tgz
After you install the Junos IKE package, for subsequent software upgrades of the instance, the Junos IKE package is upgraded automatically from the new Junos OS releases installed on your device.
Software Licenses
You do not need any specific license for the Multinode High Availability feature. However, licenses are unique to each SRX Series and cannot be shared between the nodes in a Multinode High Availability setup. Therefore, you must use identical licenses on both the nodes. If both SRX Series Firewalls do not have an identical set of licenses, the system is not ready for the deployment.
Network Accessibility
Both the nodes in the Multinode High Availability setup must be able to reach each other using the ICL path. This path uses (whether the ICL is encrypted or not) IP address, protocol, and port details. You must ensure that this communication is allowed between the nodes if any firewall or other inspection is in place.
The floating IP address that you use for each node must be routable IP (logical routed path) across the network.
We recommend to bind the ICL to the loopback interface (lo0) or an aggregated Ethernet interface (ae0) and have more than one physical link (LAG/LACP) that ensure path diversity for highest resiliency. You can also use a revenue Ethernet port on the SRX Series Firewalls to setup an ICL connection. Ensure that you separate the transit traffic in revenue interfaces from the high availability (HA) traffic.
IP Address Consideration
Table 1 provides details on IPv4 and IPv6 address support for Multinode High Availability deployments.
| MNHA Deployment Type | Layer 3 Network (Routers at Both Ends) | Hybrid Network (Router at One End and Switch at the Other End) | Default Gateway (Switches at Both Ends) |
|---|---|---|---|
|
IPv4 and IPv6 addresses for IP monitoring |
Yes | Yes | Yes |
|
IPv4 and IPv6 addresses for activeness probing |
Yes | Yes | Yes |
|
Virtual IPv4 and IPv6 addresses |
Not applicable | Yes | Yes |
Configure only one VIP per logical interface (IFL) in a Multinode High Availability setup. Support for using multiple VIPs or dual-stack is not available.
Using IP Address Pools in Multinode High Availability Configuration
When you configure multiple SRGs (active-active mode) in Multinode High Availability, ensure that address pools used by SRGs in an access profile must not overlap. Also ensure that address and address pool configured in the RADIUS server for the hosts connected to different SRGs must be unique.
Example: Following sample shows address pool configurations with access profile
localpool and localpool2 for SRG1 and SRG2
respectively:
[edit] set groups manha_config_group access profile localpool address-assignment pool v4-pool1 set groups manha_config_group access profile localpool2 authentication-order none set groups manha_config_group access profile localpool2 address-assignment pool v4-pool2 set groups manha_config_group access address-assignment pool v4-pool1 family inet network 192.0.2.0/24 set groups manha_config_group access address-assignment pool v4-pool1 family inet range v41 low 192.0.2.1 set groups manha_config_group access address-assignment pool v4-pool1 family inet range v41 high 192.0.2.127 set groups manha_config_group access address-assignment pool v4-pool2 family inet network 192.0.2.0/24 set groups manha_config_group access address-assignment pool v4-pool2 family inet range v41 low 192.0.2.128 set groups manha_config_group access address-assignment pool v4-pool2 family inet range v41 high 192.0.2.255
In this example, Services Redundancy Groups - SRG1 and SRG2 - are in the same network (192.0.2.0/24). However, IP addresses in address pools are distributed to avoid overlapping (192.0.2.1/24—192.0.2.127 for SRG1 and 192.0.2.128—192.0.2.255 for SRG2).
Similarly you must use unique IP address and address pools for user configurations in the RADIUS server.
In case you assign same address for hosts in two SRGs, then Multinode High Availability deletes the new host and halts IKE negotiations with the following message:
AUTHENTICATION_FAILED as the AUTH response
System Log displays the following message:
Duplicate assigned IPv4 received, delete new peer