Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Prepare Your Environment for Multinode High Availability Deployment

This topic provides details to prepare the environment for Multinode High Availability deployment.

Device Model

In Multinode High Availability, you must use the same SRX Series Firewall model as your nodes. For example, if you use the SRX5600 as one node, you must use another SRX5600 as the other node

In case of the SRX5000 line of devices, ensure that SPCs, NPCs, and IOCs have the same slot placement and type.

Software Version

Install the compatible version of Junos OS on the participating security devices.

Latest Junos IKE Package

You must install IKE package for enabling ICL encryption in Multinode High Availability solution.

By default, when your SRX Series Firewall boots up, the legacy IKE architecture is executed. To enable the new IKE architecture, you must install the new Junos IKE package. This is an optional package included in the Junos OS software download image.

Use the following command to install the IKE package:

After you install the Junos IKE package, for subsequent software upgrades of the instance, the Junos IKE package is upgraded automatically from the new Junos OS releases installed on your device.

Software Licenses

You do not need any specific license for the Multinode High Availability feature. However, licenses are unique to each SRX Series and cannot be shared between the nodes in a Multinode High Availability setup. Therefore, you must use identical licenses on both the nodes. If both SRX Series Firewalls do not have an identical set of licenses, the system is not ready for the deployment.

Network Accessibility

Both the nodes in the Multinode High Availability setup must be able to reach each other using the ICL path. This path uses (whether the ICL is encrypted or not) IP address, protocol, and port details. You must ensure that this communication is allowed between the nodes if any firewall or other inspection is in place.

The floating IP address that you use for each node must be routable IP (logical routed path) across the network.

We recommend to bind the ICL to the loopback interface (lo0) or an aggregated Ethernet interface (ae0) and have more than one physical link (LAG/LACP) that ensure path diversity for highest resiliency. You can also use a revenue Ethernet port on the SRX Series Firewalls to setup an ICL connection. Ensure that you separate the transit traffic in revenue interfaces from the high availability (HA) traffic.

IP Address Consideration

Table 1 provides details on IPv4 and IPv6 address support for Multinode High Availability deployments.

Table 1: IP Address Consideration For Multinode High Availability
MNHA Deployment Type Layer 3 Network (Routers at Both Ends) Hybrid Network (Router at One End and Switch at the Other End) Default Gateway (Switches at Both Ends)

IPv4 and IPv6 addresses for IP monitoring

Yes Yes Yes

IPv4 and IPv6 addresses for activeness probing

Yes Yes Yes

Virtual IPv4 and IPv6 addresses

Not applicable Yes Yes
Note:

Configure only one VIP per logical interface (IFL) in a Multinode High Availability setup. Support for using multiple VIPs or dual-stack is not available.

Using IP Address Pools in Multinode High Availability Configuration

When you configure multiple SRGs (active-active mode) in Multinode High Availability, ensure that address pools used by SRGs in an access profile must not overlap. Also ensure that address and address pool configured in the RADIUS server for the hosts connected to different SRGs must be unique.

Example: Following sample shows address pool configurations with access profile localpool and localpool2 for SRG1 and SRG2 respectively:

In this example, Services Redundancy Groups - SRG1 and SRG2 - are in the same network (192.0.2.0/24). However, IP addresses in address pools are distributed to avoid overlapping (192.0.2.1/24—192.0.2.127 for SRG1 and 192.0.2.128—192.0.2.255 for SRG2).

Similarly you must use unique IP address and address pools for user configurations in the RADIUS server.

In case you assign same address for hosts in two SRGs, then Multinode High Availability deletes the new host and halts IKE negotiations with the following message:

System Log displays the following message: