Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configure Multinode High Availability in a Layer 3 Network

SUMMARY Read this topic to understand how to configure the Multinode High Availability solution on SRX Series Firewalls. The example covers configuration in active/backup mode when SRX Series Firewalls are connected to routers on both sides.

Overview

In Multi-Node High Availability, participating SRX Series Firewalls operate as independent nodes in a Layer 3 network. The nodes are connected to adjacent infrastructure belonging to different networks. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. Participating nodes backup each other to ensure a fast synchronized failover in case of system or hardware failure.

In Multinode High Availability, activeness is determined at the services redundancy group (SRG) level. The SRX Series Firewall, on which the SRG1 is active, hosts the floating IP address and steers traffic towards it using the floating IP address. During a failover, the floating IP address moves from the old active node to the new active node and continues the communication client devices.

Note:

We support a two-node configuration in the Multinode High Availability solution.

Requirements

This example uses the following hardware and software components:

  • Two SRX Series Firewalls or vSRX Virtual Firewall instances

  • Two Juniper Networks(R) MX960 Universal Routing Platform

  • Junos OS Release 22.3R1

Topology

Figure 1 shows the topology used in this example.

Figure 1: Multinode High Availability in Layer 3 NetworkMultinode High Availability in Layer 3 Network

As shown in the topology, two SRX Series Firewalls are connected to adjacent routers on trust and untrust side forming a BGP neighborship. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. The nodes communicate with each other using a routable IP address (floating IP address) over the network. Loopback interfaces are used to host the IP addresses on SRX Series and routers.

In general, you can use Aggregated Ethernet (AE) or a revenue Ethernet port on the SRX Series Firewalls to setup an ICL connection. In this example, we've used GE ports for the ICL. We've also configured a routing instance for the ICL path to ensure maximum segmentation.

In a typical high availability deployment, you have multiple routers and switches on the northbound and southbound sides of the network. For this example, we are using two routers on both sides of SRX Series Firewalls.

In this example, you'll establish high availability between the SRX Series Firewalls and secure the tunnel traffic by enabling HA link encryption.

You'll perform the following tasks to build a Multinode High Availability setup:

  • Configure a pair of SRX Series Firewalls as local and peer nodes by assigning IDs.
  • Configure services redundancy groups.
  • Configure a loopback interface (lo0.0) to host the floating IP address.
  • Configure IP probes for the activeness determination and enforcement
  • Configure a signal route required for activeness enforcement and use it along with the route exists policy.
  • Configure a VPN profile for the high availability (ICL) traffic using IKEv2.
  • Configure BFD monitoring options
  • Configure a routing policy and routing options
  • Configure appropriate security policies to manage traffic in your network
  • Configure stateless firewall filtering and quality of service (QoS) as per your network requirements.

  • Configure interfaces and zones according to your network requirement. You must allow services such as IKE for link encryption and SSH for configuration synchronization as host-inbound system services on the security zone that is associated with the ICL.

In this example, you use static routes on SRX-1 and SRX-2 and advertise these routes into BGP to add the metric to determine which SRX Series Firewall is in the preferred path. Alternatively you can use route reflectors on the SRX Series Firewalls to advertise the routes learned via BGP and accordingly configure the routing policy to match on BGP.

You can configure the following options on SRG0 and SRG1:

  • SRG1: Active/backup signal route, deployment type, activeness priority, preemption, virtual IP address (for default gateway deployments), activeness probing and process packet on backup.

  • SRG1: BFD monitoring, IP monitoring, and interface monitoring options on SRG1.

  • SRG0: shutdown on failure and install on failure route options.

    When you configure monitoring (BFD or IP or Interface) options under SRG1, we recommend not to configure the shutdown-on-failure option under SRG0.

For interchassis link (ICL), we recommend the following configuration settings:

  • Use a loopback (lo0) interface using an aggregated Ethernet interface (ae0), or any revenue Ethernet interface to establish the ICL. Do not to use the dedicated HA ports (control and fabric ports) if available on your SRX Series Firewall).
  • Set MTU of 1514
  • Allow the following services on the security zone associated with interfaces used for ICL
    • IKE, high-availability, SSH

    • Protocols depending on the routing protocol you need.

    • BFD to monitor the neighboring routes.

A secure tunnel interface (st0) from st0.16000 to st0.16385 is reserved for Multinode High Availability. These interfaces are not user configurable interfaces. You can only use interfaces from st0.0 to st0.15999.

Configuration

Before You Begin

Junos IKE package is required on your SRX Series Firewalls for Multinode High Availability configuration. This package is available as a default package or as an optional package on SRX Series Firewalls. See Support for Junos IKE Package for details.

If the package is not installed by default on your SRX Series firewall, use the following command to install it. You require this step for ICL encryption.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

These configurations are captured from a lab environment, and are provided for reference only. Actual configurations may vary based on the specific requirements of your environment.

On SRX-1 Device

On SRX-2 Device

The following sections show configuration snippets on the routers required for setting up Multinode High Availability setup in the network.

Router (VMX-1)

Router (VMX-2)

Configuration

Step-by-Step Procedure

We're showing the configuration of SRX-1 in the step-by-step procedure.

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure Interfaces.

    We're using ge-0/0/3 and ge-0/0/4 interfaces to connect to the upstream and downstream routers and using ge-0/0/2 interface to setup the ICL.

  2. Configure the loopback interfaces.

    The IP address (10.11.0.1) assigned to the loopback interface will be used as the floating IP address.

    Using the loopback interface ensures that at any given point, traffic from the adjacent routers will be steered toward the floating IP address (that is, toward the active node).

  3. Configure security zones, assign interfaces to the zones, and specify the allowed system services for the security zones.

    Assign the interfaces ge-0/0/3 and ge-0/0/4 the trust and untrust zones respectively. Assign the lo0.0 interface to the untrust zone to connect over the public IP network. Assign the interface ge-0/0/2 to the halink zone. You use this zone to set up the ICL.

  4. Configure routing options.

  5. Configure both local node and peer node details such as node ID, lP addresses of local node and peer node, and the interface for the peer node.

    You'll use the ge-0/0/2 interface for communicating with the peer node using the ICL.

  6. Attach the IPsec VPN profile IPSEC_VPN_ICL to the peer node.

    You'll need this configuration to establish a secure ICL link between the nodes.

  7. Configure Bidirectional Forwarding Detection (BFD) protocol options for the peer node.

  8. Associate the peer node ID 2 to the services redundancy group 0 (SRG0).

  9. Configure the services redundancy group 1 (SRG1).

    In this step, you are specifying deployment type as routing because you are setting up Multinode High Availability in a Layer 3 network.

    .

  10. Setup activeness determination parameters for SRG1.

    Use the floating IP address as source IP address (10.11.0.1) and IP addresses of the upstream routers as the destination IP address (10.111.0.1) for the activeness determination probe.

    You can configure up to 64 IP addresses for IP monitoring and activeness probing. The total 64 IP addresses is sum of the number of IPv4 and IPv6 addresses)

  11. Configure BFD monitoring parameters for the SRG1 to detect failures in network.

  12. Configure an active signal route required for activeness enforcement.

    In this step, the active SRX Series Firewall creates the route with IP address 10.39.1.1 and the backup SRX Series Firewall creates the route with IP address 10.39.1.2 depending on the configuration. In this example, the policy on the SRX-1 matches on 10.39.1.1 (since its active) and advertises static/direct routes with a metric 10 making it preferred. The policy on SRX-2 matches on 10.39.1.2 (since its backup) and advertises static/direct routes with a metric 20 making it less preferred.

    The active signal route IP address you assign is used for route preference advertisement.

    Note: You must specify the active signal route along with the route-exists policy in the policy-options statement. When you configure the active-signal-route with if-route-exists condition, the HA module adds this route to the routing table.
  13. Configure policy options.

    Configure the active signal route 10.39.1.1 with the route match condition (if-route-exists).

  14. Configure the security policy.

    Ensure you have configured security policies as per your network requirements.

  15. Configure CA certificates as per your requirements.

  16. Define Internet Key Exchange (IKE) configuration for Multinode High Availability. An IKE configuration defines the algorithms and keys used to establish a secure connection.

    For the Multinode High availability feature, you must configure the IKE version as v2-only

  17. Specify the IPsec proposal protocol and encryption algorithm. Specify IPsec options to create a IPsec tunnel between two participant devices to secure VPN communication.

    Specifying the ha-link-encryption option encrypts the ICL to secure high availability traffic flow between the nodes.

    The same VPN name IPSEC_VPN_ICL must be mentioned for vpn_profile in chassis high availability configuration.

  18. Configure BFD peering sessions options and specify liveness detection timers.

Configuration Option for Software Upgrades (Optional)

In Multinode High Availability, during software upgrades, you can divert the traffic by changing the route. Use the following steps to add install route on failure configuration. Here, traffic can still go through the node and interface remains up.

Check Software Upgrade in Multinode High Availability for details.

  1. Create a dedicated custom virtual router for the route used for diverting traffic during the upgrade.

  2. Configure install route on failure statement for the SRG0.

    The routing table installs the route mentioned in the statement when the node fails.

  3. Create a matching routing policy which refers the route as condition with the route-exists attribute.

    Example: Following configuration snippets show that you have configured the route with IP address 10.39.1.3 for SRG0 as install on failure route. The routing policy statement includes the route 10.39.1.3 as the if-route-exists condition and the policy statement refers the condition as one of the matching term.

Results (SRX-1)

From configuration mode, confirm your configuration by entering the following commands.

If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Results (SRX-2)

From configuration mode, confirm your configuration by entering the following commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

On your security devices, you'll get the following message that asks you to reboot the device:

Verification

Confirm that the configuration is working properly.

Check Multinode High Availability Details

Purpose

View and verify the details of the Multinode High Availability setup configured on your security device.

Action

From operational mode, run the following command:

On SRX-1

On SRX-2

Meaning

Verify these details from the command output:

  • Local node and peer node details such as IP address and ID.

  • The field Encrypted: YES indicates that the traffic is protected.

  • The field Deployment Type: ROUTING indicates a Layer 3 mode configuration—that is, the network has routers on both sides.

  • The field Services Redundancy Group: 1 indicates the status of the SRG1 (ACTIVE or BACKUP) on that node.

Check Multinode High Availability Peer Node Status

Purpose

View and verify the peer node details.

Action

From operational mode, run the following command:

SRX-1

SRX-2

Meaning

Verify these details from the command output:

  • Peer node details such as interface used, IP address, and ID

  • Encryption status, connection status, and cold synchronization status

  • Packet statistics across the node.

Check Multinode High Availability Service Redundancy Groups

Purpose

Verify that the SRGs are configured and working correctly.

Action

From operational mode, run the following command:

For SRG0:

For SRG1:

Meaning

Verify these details from the command output:

  • Peer node details such as deployment type, status, and active and back up signal routes.

  • Virtual IP Information such as IP address and virtual MAC address.

  • IP monitoring and BFD monitoring status.

Verify the Multinode High Availability Status Before and After Failover

Purpose

Check the change in node status before and after failover in a Multinode High Availability setup.

Action

To check the Multinode High Availability status on the backup node (SRX-2), run the following command from operational mode:

Under the Services Redundancy Group: 1 section, you can see the Status: BACKUP field. This field value indicates that the status of SRG 1 is backup.

Initiate the failover on the active node (SRX-1 device) and again run the command on the backup node (SRX-2 device).

Note that under the Services Redundancy Group: 1 section, the status of SRG1 has changed from BACKUP to ACTIVE.

You can also see peer node details under the Peer Information section. The output shows the status of peer as BACKUP.