Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS High Availability User Guide Multinode High Availability

High Availability User Guide

keyboard_arrow_up
close
keyboard_arrow_left
High Availability User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Example: Configure Multinode High Availability in a Layer 3 Network

date_range 25-Mar-25
arrow_backward
arrow_forward

Read this topic to understand how to configure the Multinode High Availability solution on SRX Series Firewalls. The example covers configuration in active/backup mode when SRX Series Firewalls are connected to routers on both sides.

Overview

In Multi-Node High Availability, participating SRX Series Firewalls operate as independent nodes in a Layer 3 network. The nodes are connected to adjacent infrastructure belonging to different networks. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. Participating nodes backup each other to ensure a fast synchronized failover in case of system or hardware failure.

In Multinode High Availability, activeness is determined at the services redundancy group (SRG) level. The SRX Series Firewall, on which the SRG1 is active, hosts the floating IP address and steers traffic towards it using the floating IP address. During a failover, the floating IP address moves from the old active node to the new active node and continues the communication client devices.

Note:

We support a two-node configuration in the Multinode High Availability solution.

Requirements

This example uses the following hardware and software components:

  • Two SRX Series Firewalls or vSRX Virtual Firewall instances

  • Two Juniper Networks(R) MX960 Universal Routing Platform

  • Junos OS Release 22.3R1

Topology

Figure 1 shows the topology used in this example.

Figure 1: Multinode High Availability in Layer 3 NetworkMultinode High Availability in Layer 3 Network

As shown in the topology, two SRX Series Firewalls are connected to adjacent routers on trust and untrust side forming a BGP neighborship. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. The nodes communicate with each other using a routable IP address (floating IP address) over the network. Loopback interfaces are used to host the IP addresses on SRX Series and routers.

In general, you can use Aggregated Ethernet (AE) or a revenue Ethernet port on the SRX Series Firewalls to setup an ICL connection. In this example, we've used GE ports for the ICL. We've also configured a routing instance for the ICL path to ensure maximum segmentation.

In a typical high availability deployment, you have multiple routers and switches on the northbound and southbound sides of the network. For this example, we are using two routers on both sides of SRX Series Firewalls.

In this example, you'll establish high availability between the SRX Series Firewalls and secure the tunnel traffic by enabling HA link encryption.

You'll perform the following tasks to build a Multinode High Availability setup:

  • Configure a pair of SRX Series Firewalls as local and peer nodes by assigning IDs.
  • Configure services redundancy groups.
  • Configure a loopback interface (lo0.0) to host the floating IP address.
  • Configure IP probes for the activeness determination and enforcement
  • Configure a signal route required for activeness enforcement and use it along with the route exists policy.
  • Configure a VPN profile for the high availability (ICL) traffic using IKEv2.
  • Configure BFD monitoring options
  • Configure a routing policy and routing options
  • Configure appropriate security policies to manage traffic in your network

  • Configure stateless firewall filtering and quality of service (QoS) as per your network requirements.

  • Configure interfaces and zones according to your network requirement. You must allow services such as IKE for link encryption and SSH for configuration synchronization as host-inbound system services on the security zone that is associated with the ICL.

In this example, you use static routes on SRX-1 and SRX-2 and advertise these routes into BGP to add the metric to determine which SRX Series Firewall is in the preferred path. Alternatively you can use route reflectors on the SRX Series Firewalls to advertise the routes learned via BGP and accordingly configure the routing policy to match on BGP.

You can configure the following options on SRG0 and SRG1:

  • SRG1: Active/backup signal route, deployment type, activeness priority, preemption, virtual IP address (for default gateway deployments), activeness probing and process packet on backup.

  • SRG1: BFD monitoring, IP monitoring, and interface monitoring options on SRG1.

  • SRG0: shutdown on failure and install on failure route options.

    When you configure monitoring (BFD or IP or Interface) options under SRG1, we recommend not to configure the shutdown-on-failure option under SRG0.

For interchassis link (ICL), we recommend the following configuration settings:

  • Use a loopback (lo0) interface using an aggregated Ethernet interface (ae0), or any revenue Ethernet interface to establish the ICL. Do not to use the dedicated HA ports (control and fabric ports) if available on your SRX Series Firewall).
  • Set MTU of 1514
  • Allow the following services on the security zone associated with interfaces used for ICL

    • IKE, high-availability, SSH

    • Protocols depending on the routing protocol you need.

    • BFD to monitor the neighboring routes.

A secure tunnel interface (st0) from st0.16000 to st0.16385 is reserved for Multinode High Availability. These interfaces are not user configurable interfaces. You can only use interfaces from st0.0 to st0.15999.

Configuration

Before You Begin

Junos IKE package is required on your SRX Series Firewalls for Multinode High Availability configuration. This package is available as a default package or as an optional package on SRX Series Firewalls. See Support for Junos IKE Package for details.

If the package is not installed by default on your SRX Series firewall, use the following command to install it. You require this step for ICL encryption.

content_copy zoom_out_map
user@host> request system software add optional://junos-ike.tgz
Verified junos-ike signed by PackageProductionECP256_2022 method ECDSA256+SHA256
Rebuilding schema and Activating configuration...
mgd: commit complete
Restarting MGD ...

WARNING: cli has been replaced by an updated version:
CLI release 20220208.163814_builder.r1239105 built by builder on 2022-02-08 17:07:55 UTC
Restart cli using the new version ? [yes,no] (yes)

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

These configurations are captured from a lab environment, and are provided for reference only. Actual configurations may vary based on the specific requirements of your environment.

On SRX-1 Device

content_copy zoom_out_map
set chassis high-availability local-id 1
set chassis high-availability local-id local-ip 10.22.0.1
set chassis high-availability peer-id 2 peer-ip 10.22.0.2
set chassis high-availability peer-id 2 interface ge-0/0/2.0
set chassis high-availability peer-id 2 vpn-profile IPSEC_VPN_ICL
set chassis high-availability peer-id 2 liveness-detection minimum-interval 400
set chassis high-availability peer-id 2 liveness-detection multiplier 5
set chassis high-availability services-redundancy-group 0 peer-id 2
set chassis high-availability services-redundancy-group 1 deployment-type routing
set chassis high-availability services-redundancy-group 1 peer-id 2
set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 10.111.0.1
set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 10.11.0.1
set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 src-ip 10.4.0.1
set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 session-type singlehop
set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 interface ge-0/0/4.0
set chassis high-availability services-redundancy-group 1 active-signal-route 10.39.1.1
set chassis high-availability services-redundancy-group 1 backup-signal-route 10.39.1.2
set chassis high-availability services-redundancy-group 1 preemption
set chassis high-availability services-redundancy-group 1 activeness-priority 200
set interfaces ge-0/0/3 description "trust" unit 0 family inet address 10.2.0.2/16
set interfaces ge-0/0/4 description "untrust" unit 0 family inet address 10.4.0.1/16
set interfaces ge-0/0/2 description "ha_link" unit 0 family inet address 10.22.0.1/24
set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.1/32
set routing-options autonomous-system 65000
set routing-options static route 10.1.0.0/16 next-hop 10.2.0.1
set routing-options static route 10.6.0.0/16 next-hop 10.4.0.2
set routing-options static route 10.111.0.1 next-hop 10.2.0.1
set routing-options static route 10.111.0.2 next-hop 10.4.0.2
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic protocols bfd
set security zones security-zone untrust host-inbound-traffic protocols bgp
set security zones security-zone untrust interfaces ge-0/0/4
set security zones security-zone untrust interfaces lo0.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/3
set security zones security-zone halink host-inbound-traffic system-services ike
set security zones security-zone halink host-inbound-traffic system-services ping
set security zones security-zone halink host-inbound-traffic system-services high-availability
set security zones security-zone halink host-inbound-traffic system-services ssh
set security zones security-zone halink host-inbound-traffic protocols bfd
set security zones security-zone halink host-inbound-traffic protocols bgp
set security zones security-zone halink interfaces ge-0/0/2
set security policies default-policy permit-all
set system services netconf ssh
set security ike proposal MNHA_IKE_PROP  description mnha_link_encr_tunnel
set security ike proposal MNHA_IKE_PROP  authentication-method pre-shared-keys
set security ike proposal MNHA_IKE_PROP  dh-group group14
set security ike proposal MNHA_IKE_PROP  authentication-algorithm sha-256
set security ike proposal MNHA_IKE_PROP  encryption-algorithm aes-256-cbc
set security ike proposal MNHA_IKE_PROP  lifetime-seconds 3600
set security ike policy MNHA_IKE_POL  description mnha_link_encr_tunnel
set security ike policy MNHA_IKE_POL  proposals MNHA_IKE_PROP 
set security ike policy MNHA_IKE_POL  pre-shared-key ascii-text "$ABC123"
set security ike gateway MNHA_IKE_GW ike-policy MNHA_IKE_POL 
set security ike gateway MNHA_IKE_GW version v2-only
set security ipsec proposal MNHA_IPSEC_PROP description mnha_link_encr_tunnel
set security ipsec proposal MNHA_IPSEC_PROP protocol esp
set security ipsec proposal MNHA_IPSEC_PROP encryption-algorithm aes-256-gcm
set security ipsec proposal MNHA_IPSEC_PROP lifetime-seconds 3600
set security ipsec policy MNHA_IPSEC_POL description mnha_link_encr_tunnel
set security ipsec policy MNHA_IPSEC_POL proposals MNHA_IPSEC_PROP
set security ipsec vpn IPSEC_VPN_ICL ha-link-encryption
set security ipsec vpn IPSEC_VPN_ICL ike gateway MNHA_IKE_GW
set security ipsec vpn IPSEC_VPN_ICL ike ipsec-policy MNHA_IPSEC_POL
set policy-options condition active_route_exists if-route-exists address-family inet 10.39.1.1 table inet.0
set policy-options condition backup_route_exists if-route-exists address-family inet 10.39.1.2 table inet.0
set policy-options policy-statement mnha-route-policy term 1 from protocol static
set policy-options policy-statement mnha-route-policy term 1 from protocol direct
set policy-options policy-statement mnha-route-policy term 1 from condition active_route_exists
set policy-options policy-statement mnha-route-policy term 1 then accept metric 10
set policy-options policy-statement mnha-route-policy term 2 from protocol static
set policy-options policy-statement mnha-route-policy term 2 from protocol direct
set policy-options policy-statement mnha-route-policy term 2 from condition backup_route_exists
set policy-options policy-statement mnha-route-policy term 2 then accept metric 20
set policy-options policy-statement mnha-route-policy term 3 from protocol static
set policy-options policy-statement mnha-route-policy term 3 from protocol direct
set policy-options policy-statement mnha-route-policy term 3 then accept metric 30
set policy-options policy-statement mnha-route-policy term default then reject
set protocols bgp group trust type internal
set protocols bgp group trust local-address 10.2.0.2
set protocols bgp group trust export mnha-route-policy
set protocols bgp group trust neighbor 10.2.0.1
set protocols bgp group trust bfd-liveness-detection minimum-interval 500
set protocols bgp group trust bfd-liveness-detection minimum-receive-interval 500
set protocols bgp group trust bfd-liveness-detection multiplier 3
set protocols bgp group trust local-as 65000
set protocols bgp group untrust type internal
set protocols bgp group untrust local-address 10.4.0.1
set protocols bgp group untrust export mnha-route-policy
set protocols bgp group untrust neighbor 10.4.0.2
set protocols bgp group untrust bfd-liveness-detection minimum-interval 500
set protocols bgp group untrust bfd-liveness-detection minimum-receive-interval 500
set protocols bgp group untrust bfd-liveness-detection multiplier 3
set protocols bgp group untrust local-as 65000

On SRX-2 Device

content_copy zoom_out_map
set chassis high-availability local-id 2
set chassis high-availability local-id local-ip 10.22.0.2
set chassis high-availability peer-id 1 peer-ip 10.22.0.1
set chassis high-availability peer-id 1 interface ge-0/0/2.0
set chassis high-availability peer-id 1 vpn-profile IPSEC_VPN_ICL
set chassis high-availability peer-id 1 liveness-detection minimum-interval 400
set chassis high-availability peer-id 1 liveness-detection multiplier 5
set chassis high-availability services-redundancy-group 0 peer-id 1
set chassis high-availability services-redundancy-group 1 deployment-type routing
set chassis high-availability services-redundancy-group 1 peer-id 1
set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 10.111.0.1
set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 10.11.0.1
set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.5.0.2 src-ip 10.5.0.1
set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.5.0.2 session-type singlehop
set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.5.0.2 interface ge-0/0/4.0
set chassis high-availability services-redundancy-group 1 active-signal-route 10.39.1.1
set chassis high-availability services-redundancy-group 1 backup-signal-route 10.39.1.2
set chassis high-availability services-redundancy-group 1 activeness-priority 1
set security ike proposal MNHA_IKE_PROP description mnha_link_encr_tunnel
set security ike proposal MNHA_IKE_PROP authentication-method pre-shared-keys
set security ike proposal MNHA_IKE_PROP dh-group group14
set security ike proposal MNHA_IKE_PROP authentication-algorithm sha-256
set security ike proposal MNHA_IKE_PROP encryption-algorithm aes-256-cbc
set security ike proposal MNHA_IKE_PROP lifetime-seconds 3600
set security ike policy MNHA_IKE_POL description mnha_link_encr_tunnel
set security ike policy MNHA_IKE_POL proposals MNHA_IKE_PROP 
set security ike policy MNHA_IKE_POL pre-shared-key ascii-text "$ABC123"
set security ike gateway MNHA_IKE_GW ike-policy MNHA_IKE_POL 
set security ike gateway MNHA_IKE_GW version v2-only
set security ipsec proposal MNHA_IPSEC_PROP description mnha_link_encr_tunnel
set security ipsec proposal MNHA_IPSEC_PROP protocol esp
set security ipsec proposal MNHA_IPSEC_PROP encryption-algorithm aes-256-gcm
set security ipsec proposal MNHA_IPSEC_PROP lifetime-seconds 3600
set security ipsec policy MNHA_IPSEC_POL description mnha_link_encr_tunnel
set security ipsec policy MNHA_IPSEC_POL proposals MNHA_IPSEC_PROP
set security ipsec vpn IPSEC_VPN_ICL ha-link-encryption
set security ipsec vpn IPSEC_VPN_ICL ike gateway MNHA_IKE_GW
set security ipsec vpn IPSEC_VPN_ICL ike ipsec-policy MNHA_IPSEC_POL
set interfaces ge-0/0/3 description "trust" unit 0 family inet address 10.3.0.2/16
set interfaces ge-0/0/4 description "untrust" unit 0 family inet address 10.5.0.1/16
set interfaces ge-0/0/2 description "ha_link" unit 0 family inet address 10.22.0.2/24
set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.1/32
set routing-options autonomous-system 65000
set routing-options static route 10.1.0.0/16 next-hop 10.3.0.1
set routing-options static route 10.6.0.0/16 next-hop 10.5.0.2
set routing-options static route 10.111.0.1 next-hop 10.3.0.1
set routing-options static route 10.111.0.2 next-hop 10.5.0.2
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic protocols bfd
set security zones security-zone untrust host-inbound-traffic protocols bgp
set security zones security-zone untrust interfaces ge-0/0/4
set security zones security-zone untrust interfaces lo0.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/3
set security zones security-zone halink host-inbound-traffic system-services ike
set security zones security-zone halink host-inbound-traffic system-services ping
set security zones security-zone halink host-inbound-traffic system-services high-availability
set security zones security-zone halink host-inbound-traffic system-services ssh
set security zones security-zone halink host-inbound-traffic protocols bfd
set security zones security-zone halink host-inbound-traffic protocols bgp
set security zones security-zone halink interfaces ge-0/0/2
set security policies default-policy permit-all
set system services netconf ssh
set policy-options route-filter-list loopback 10.11.0.0/24 orlonger
set policy-options route-filter-list ipsec 10.6.0.0/16 orlonger
set policy-options condition active_route_exists if-route-exists address-family inet 10.39.1.1 table inet.0
set policy-options condition backup_route_exists if-route-exists address-family inet 10.39.1.2 table inet.0
set policy-options policy-statement mnha-route-policy term 1 from protocol static
set policy-options policy-statement mnha-route-policy term 1 from protocol direct
set policy-options policy-statement mnha-route-policy term 1 from condition active_route_exists
set policy-options policy-statement mnha-route-policy term 1 then accept metric 10
set policy-options policy-statement mnha-route-policy term 2 from protocol static
set policy-options policy-statement mnha-route-policy term 2 from protocol direct
set policy-options policy-statement mnha-route-policy term 2 from condition backup_route_exists
set policy-options policy-statement mnha-route-policy term 2 then accept metric 20
set policy-options policy-statement mnha-route-policy term 3 from protocol static
set policy-options policy-statement mnha-route-policy term 3 from protocol direct
set policy-options policy-statement mnha-route-policy term 3 then accept metric 35
set policy-options policy-statement mnha-route-policy term default then reject
set protocols bgp group trust type internal
set protocols bgp group trust local-address 10.3.0.2
set protocols bgp group trust export mnha-route-policy
set protocols bgp group trust neighbor 10.3.0.1
set protocols bgp group trust bfd-liveness-detection minimum-interval 500
set protocols bgp group trust bfd-liveness-detection minimum-receive-interval 500
set protocols bgp group trust bfd-liveness-detection multiplier 3
set protocols bgp group trust local-as 65000
set protocols bgp group untrust type internal
set protocols bgp group untrust local-address 10.5.0.1
set protocols bgp group untrust export mnha-route-policy
set protocols bgp group untrust neighbor 10.5.0.2
set protocols bgp group untrust bfd-liveness-detection minimum-interval 500
set protocols bgp group untrust bfd-liveness-detection minimum-receive-interval 500
set protocols bgp group untrust bfd-liveness-detection multiplier 3
set protocols bgp group untrust local-as 65000

The following sections show configuration snippets on the routers required for setting up Multinode High Availability setup in the network.

Router (VMX-1)

content_copy zoom_out_map
set interfaces ge-0/0/2 description lan unit 0 family inet address 10.1.0.1/16
set interfaces ge-0/0/0 description ha unit 0 family inet address 10.2.0.1/16
set interfaces ge-0/0/1 description ha unit 0 family inet address 10.3.0.1/16
set interfaces lo0 description "loopback" unit 0 family inet address 10.111.0.1 primary preferred
set routing-options autonomous-system 65000
set protocols bgp group mnha_r0 type internal
set protocols bgp group mnha_r0 local-address 10.2.0.1
set protocols bgp group mnha_r0 neighbor 10.2.0.2
set protocols bgp group mnha_r0 bfd-liveness-detection minimum-interval 500
set protocols bgp group mnha_r0 bfd-liveness-detection minimum-receive-interval 500
set protocols bgp group mnha_r0 bfd-liveness-detection multiplier 3
set protocols bgp group mnha_r0 local-as 65000
set protocols bgp group mnha_r0_b type internal
set protocols bgp group mnha_r0_b local-address 10.3.0.1
set protocols bgp group mnha_r0_b neighbor 10.3.0.2
set protocols bgp group mnha_r0_b bfd-liveness-detection minimum-interval 500
set protocols bgp group mnha_r0_b bfd-liveness-detection minimum-receive-interval 500
set protocols bgp group mnha_r0_b bfd-liveness-detection multiplier 3
set protocols bgp group mnha_r0_b local-as 65000

Router (VMX-2)

content_copy zoom_out_map
set interfaces ge-0/0/0 description HA unit 0 family inet address 10.4.0.2/16
set interfaces ge-0/0/1 description HA unit 0 family inet address 10.5.0.2/16
set interfaces ge-0/0/2 description trust unit 0 family inet address 10.6.0.1/16
set interfaces lo0 description "loopback" unit 0 family inet address 10.111.0.2 primary preferred
set routing-options autonomous-system 65000
set protocols bgp group mnha_r0 type internal
set protocols bgp group mnha_r0 local-address 10.4.0.2
set protocols bgp group mnha_r0 neighbor 10.4.0.1
set protocols bgp group mnha_r0 bfd-liveness-detection minimum-interval 500
set protocols bgp group mnha_r0 bfd-liveness-detection minimum-receive-interval 500
set protocols bgp group mnha_r0 bfd-liveness-detection multiplier 3
set protocols bgp group mnha_r0 local-as 65000
set protocols bgp group mnha_r0_b type internal
set protocols bgp group mnha_r0_b local-address 10.5.0.2
set protocols bgp group mnha_r0_b neighbor 10.5.0.1
set protocols bgp group mnha_r0_b bfd-liveness-detection minimum-interval 500
set protocols bgp group mnha_r0_b bfd-liveness-detection minimum-receive-interval 500
set protocols bgp group mnha_r0_b bfd-liveness-detection multiplier 3
set protocols bgp group mnha_r0_b local-as 65000

Configuration

Step-by-Step Procedure

We're showing the configuration of SRX-1 in the step-by-step procedure.

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure Interfaces.

    content_copy zoom_out_map
    [edit]
user@host# set interfaces ge-0/0/3 description "trust" unit 0 family inet address 10.2.0.2/16
user@host# set interfaces ge-0/0/4 description "untrust" unit 0 family inet address 10.4.0.1/16
user@host# set interfaces ge-0/0/2 description "ha_link" unit 0 family inet address 10.22.0.1/24

    We're using ge-0/0/3 and ge-0/0/4 interfaces to connect to the upstream and downstream routers and using ge-0/0/2 interface to setup the ICL.

  2. Configure the loopback interfaces.

    content_copy zoom_out_map
    [edit]
user@host# set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.1/32

    The IP address (10.11.0.1) assigned to the loopback interface will be used as the floating IP address.

    Using the loopback interface ensures that at any given point, traffic from the adjacent routers will be steered toward the floating IP address (that is, toward the active node).

  3. Configure security zones, assign interfaces to the zones, and specify the allowed system services for the security zones.

    content_copy zoom_out_map
    [edit]
user@host# set security zones security-zone untrust host-inbound-traffic system-services ike
user@host# set security zones security-zone untrust host-inbound-traffic system-services ping
user@host# set security zones security-zone untrust host-inbound-traffic protocols bfd
user@host# set security zones security-zone untrust host-inbound-traffic protocols bgp
user@host# set security zones security-zone untrust interfaces ge-0/0/4
user@host# set security zones security-zone untrust interfaces lo0.0
user@host# set security zones security-zone trust host-inbound-traffic system-services all
user@host# set security zones security-zone trust host-inbound-traffic protocols all
user@host# set security zones security-zone trust interfaces ge-0/0/3
user@host# set security zones security-zone halink host-inbound-traffic system-services ike
user@host# set security zones security-zone halink host-inbound-traffic system-services ping
user@host# set security zones security-zone halink host-inbound-traffic system-services high-availability
user@host# set security zones security-zone halink host-inbound-traffic system-services ssh
user@host# set security zones security-zone halink host-inbound-traffic protocols bfd
user@host# set security zones security-zone halink host-inbound-traffic protocols bgp
user@host# set security zones security-zone halink interfaces ge-0/0/2

    Assign the interfaces ge-0/0/3 and ge-0/0/4 the trust and untrust zones respectively. Assign the lo0.0 interface to the untrust zone to connect over the public IP network. Assign the interface ge-0/0/2 to the halink zone. You use this zone to set up the ICL.

  4. Configure routing options.

    content_copy zoom_out_map
    [edit]
user@host# set routing-options autonomous-system 65000
user@host# set routing-options static route 10.1.0.0/16 next-hop 10.2.0.1
user@host# set routing-options static route 10.6.0.0/16 next-hop 10.4.0.2
user@host# set routing-options static route 10.111.0.1 next-hop 10.2.0.1
user@host# set routing-options static route 10.111.0.2 next-hop 10.4.0.2
  5. Configure both local node and peer node details such as node ID, lP addresses of local node and peer node, and the interface for the peer node.
    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability local-id 1
user@host# set chassis high-availability local-id local-ip 10.22.0.1
user@host# set chassis high-availability peer-id 2 peer-ip 10.22.0.2
user@host# set chassis high-availability peer-id 2 interface ge-0/0/2.0
user@host# set chassis high-availability peer-id 2 vpn-profile IPSEC_VPN_ICL

    You'll use the ge-0/0/2 interface for communicating with the peer node using the ICL.

  6. Attach the IPsec VPN profile IPSEC_VPN_ICL to the peer node.

    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability peer-id 2 vpn-profile IPSEC_VPN_ICL

    You'll need this configuration to establish a secure ICL link between the nodes.

  7. Configure Bidirectional Forwarding Detection (BFD) protocol options for the peer node.

    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability peer-id 2 liveness-detection minimum-interval 400
user@host# set chassis high-availability peer-id 2 liveness-detection multiplier 5

  8. Associate the peer node ID 2 to the services redundancy group 0 (SRG0).

    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability services-redundancy-group 0 peer-id 2

  9. Configure the services redundancy group 1 (SRG1).

    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability services-redundancy-group 0 peer-id 2
user@host# set chassis high-availability services-redundancy-group 1 deployment-type routing
user@host# set chassis high-availability services-redundancy-group 1 peer-id 2
    In this step, you are specifying deployment type as routing because you are setting up Multinode High Availability in a Layer 3 network.

    .

  10. Setup activeness determination parameters for SRG1.

    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 10.111.0.1
user@host# set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 10.11.0.1

    Use the floating IP address as source IP address (10.11.0.1) and IP addresses of the upstream routers as the destination IP address (10.111.0.1) for the activeness determination probe.

    You can configure up to 64 IP addresses for IP monitoring and activeness probing. The total 64 IP addresses is sum of the number of IPv4 and IPv6 addresses)

  11. Configure BFD monitoring parameters for the SRG1 to detect failures in network.

    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 src-ip 10.4.0.1
user@host# set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 session-type singlehop
user@host# set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 interface ge-0/0/4.0

  12. Configure an active signal route required for activeness enforcement.

    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability services-redundancy-group 1 active-signal-route 10.39.1.1
user@host# set chassis high-availability services-redundancy-group 1 backup-signal-route 10.39.1.2
user@host# set chassis high-availability services-redundancy-group 1 preemption
user@host# set chassis high-availability services-redundancy-group 1 activeness-priority 200
    In this step, the active SRX Series Firewall creates the route with IP address 10.39.1.1 and the backup SRX Series Firewall creates the route with IP address 10.39.1.2 depending on the configuration. In this example, the policy on the SRX-1 matches on 10.39.1.1 (since its active) and advertises static/direct routes with a metric 10 making it preferred. The policy on SRX-2 matches on 10.39.1.2 (since its backup) and advertises static/direct routes with a metric 20 making it less preferred.

    The active signal route IP address you assign is used for route preference advertisement.

    Note: You must specify the active signal route along with the route-exists policy in the policy-options statement. When you configure the active-signal-route with if-route-exists condition, the HA module adds this route to the routing table.

  13. Configure policy options.

    content_copy zoom_out_map
    [edit]
user@host# set policy-options condition active_route_exists if-route-exists address-family inet 10.39.1.1 table inet.0
user@host# set policy-options condition backup_route_exists if-route-exists address-family inet 10.39.1.2 table inet.0
user@host# set policy-options policy-statement mnha-route-policy term 1 from protocol static
user@host# set policy-options policy-statement mnha-route-policy term 1 from protocol direct
user@host# set policy-options policy-statement mnha-route-policy term 1 from condition active_route_exists
user@host# set policy-options policy-statement mnha-route-policy term 1 then accept metric 10
user@host# set policy-options policy-statement mnha-route-policy term 2 from protocol static
user@host# set policy-options policy-statement mnha-route-policy term 2 from protocol direct
user@host# set policy-options policy-statement mnha-route-policy term 2 from condition backup_route_exists
user@host# set policy-options policy-statement mnha-route-policy term 2 then accept metric 20
user@host# set policy-options policy-statement mnha-route-policy term 3 from protocol static
user@host# set policy-options policy-statement mnha-route-policy term 3 from protocol direct
user@host# set policy-options policy-statement mnha-route-policy term 3 then accept metric 30
user@host# set policy-options policy-statement mnha-route-policy term default then reject

    Configure the active signal route 10.39.1.1 with the route match condition (if-route-exists).

  14. Configure the security policy.

    content_copy zoom_out_map
    [edit]
user@host# set security policies default-policy permit-all

    Ensure you have configured security policies as per your network requirements.

  15. Define Internet Key Exchange (IKE) configuration for Multinode High Availability. An IKE configuration defines the algorithms and keys used to establish a secure connection.

    content_copy zoom_out_map
    [edit]
user@host# set security ike proposal MNHA_IKE_PROP description mnha_link_encr_tunnel
user@host# set security ike proposal MNHA_IKE_PROP authentication-method pre-shared-keys
user@host# set security ike proposal MNHA_IKE_PROP dh-group group14
user@host# set security ike proposal MNHA_IKE_PROP authentication-algorithm sha-256
user@host# set security ike proposal MNHA_IKE_PROP encryption-algorithm aes-256-cbc
user@host# set security ike proposal MNHA_IKE_PROP lifetime-seconds 3600
user@host# set security ike policy MNHA_IKE_POL description mnha_link_encr_tunnel
user@host# set security ike policy MNHA_IKE_POL proposals MNHA_IKE_PROP 
user@host# set security ike policy MNHA_IKE_POL pre-shared-key ascii-text "$ABC123"
user@host# set security ike gateway MNHA_IKE_GW ike-policy MNHA_IKE_POL 
user@host# set security ike gateway MNHA_IKE_GW version v2-only

    For the Multinode High availability feature, you must configure the IKE version as v2-only

  16. Specify the IPsec proposal protocol and encryption algorithm. Specify IPsec options to create a IPsec tunnel between two participant devices to secure VPN communication.

    content_copy zoom_out_map
    [edit]
user@host# set security ipsec proposal MNHA_IPSEC_PROP description mnha_link_encr_tunnel
user@host# set security ipsec proposal MNHA_IPSEC_PROP protocol esp
user@host# set security ipsec proposal MNHA_IPSEC_PROP encryption-algorithm aes-256-gcm
user@host# set security ipsec proposal MNHA_IPSEC_PROP lifetime-seconds 3600
user@host# set security ipsec policy MNHA_IPSEC_POL description mnha_link_encr_tunnel
user@host# set security ipsec policy MNHA_IPSEC_POL proposals MNHA_IPSEC_PROP
user@host# set security ipsec vpn IPSEC_VPN_ICL ha-link-encryption
user@host# set security ipsec vpn IPSEC_VPN_ICL ike gateway MNHA_IKE_GW
user@host# set security ipsec vpn IPSEC_VPN_ICL ike ipsec-policy MNHA_IPSEC_POL
    Specifying the ha-link-encryption option encrypts the ICL to secure high availability traffic flow between the nodes.

    The same VPN name IPSEC_VPN_ICL must be mentioned for vpn_profile in chassis high availability configuration.

  17. Configure BFD peering sessions options and specify liveness detection timers.

    content_copy zoom_out_map
    [edit]
user@host# set protocols bgp group trust type internal
user@host# set protocols bgp group trust local-address 10.2.0.2
user@host# set protocols bgp group trust export mnha-route-policy
user@host# set protocols bgp group trust neighbor 10.2.0.1
user@host# set protocols bgp group trust bfd-liveness-detection minimum-interval 500
user@host# set protocols bgp group trust bfd-liveness-detection minimum-receive-interval 500
user@host# set protocols bgp group trust bfd-liveness-detection multiplier 3
user@host# set protocols bgp group trust local-as 65000
user@host# set protocols bgp group untrust type internal
user@host# set protocols bgp group untrust local-address 10.4.0.1
user@host# set protocols bgp group untrust export mnha-route-policy
user@host# set protocols bgp group untrust neighbor 10.4.0.2
user@host# set protocols bgp group untrust bfd-liveness-detection minimum-interval 500
user@host# set protocols bgp group untrust bfd-liveness-detection minimum-receive-interval 500
user@host# set protocols bgp group untrust bfd-liveness-detection multiplier 3
user@host# set protocols bgp group untrust local-as

Configuration Option for Software Upgrades (Optional)

In Multinode High Availability, during software upgrades, you can divert the traffic by changing the route. Use the following steps to add install route on failure configuration. Here, traffic can still go through the node and interface remains up.

Check Software Upgrade in Multinode High Availability for details.

  1. Create a dedicated custom virtual router for the route used for diverting traffic during the upgrade.

    content_copy zoom_out_map
    user@host# set routing-instances MNHA-signal-routes instance-type virtual-router
  2. Configure install route on failure statement for the SRG0.
    content_copy zoom_out_map
    user@host# set chassis high-availability services-redundancy-group 0 install-on-failure-route 10.39.1.3 routing-instance MNHA-signal-routes
user@host# set chassis high-availability services-redundancy-group 1 active-signal-route 10.39.1.1 routing-instance MNHA-signal-routes
user@host# set chassis high-availability services-redundancy-group 1 backup-signal-route 10.39.1.2 routing-instance MNHA-signal-routes

    The routing table installs the route mentioned in the statement when the node fails.

  3. Create a matching routing policy which refers the route as condition with the route-exists attribute.

    Example: Following configuration snippets show that you have configured the route with IP address 10.39.1.3 for SRG0 as install on failure route. The routing policy statement includes the route 10.39.1.3 as the if-route-exists condition and the policy statement refers the condition as one of the matching term.

    content_copy zoom_out_map
    user@host# set policy-options condition active_route_exists if-route-exists address-family inet 10.39.1.1/32
user@host# set policy-options condition active_route_exists if-route-exists address-family inet table MNHA-signal-routes.inet.0
user@host# set policy-options condition backup_route_exists if-route-exists address-family inet 10.39.1.2/32
user@host# set policy-options condition backup_route_exists if-route-exists address-family inet table MNHA-signal-routes.inet.0
user@host# set policy-options condition failure_route_exists if-route-exists address-family inet 10.39.1.3/32
user@host# set policy-options condition failure_route_exists if-route-exists address-family inet table MNHA-signal-routes.inet.0
    content_copy zoom_out_map
    user@host# set policy-options policy-statement mnha-route-policy term 4 from protocol static
user@host# set policy-options policy-statement mnha-route-policy term 4 from protocol direct
user@host# set policy-options policy-statement mnha-route-policy term 4 from condition failure_route_exists
user@host# set policy-options policy-statement mnha-route-policy term 4 then metric 100
user@host# set policy-options policy-statement mnha-route-policy term 4 then accept

Results (SRX-1)

From configuration mode, confirm your configuration by entering the following commands.

If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show chassis high-availability
local-id 1 local-ip 10.22.0.1;
peer-id 2 {
    peer-ip 10.22.0.2;
    interface ge-0/0/2.0;
    vpn-profile IPSEC_VPN_ICL;
    liveness-detection {
        minimum-interval 400;
        multiplier 5;
    }
}
services-redundancy-group 0 {
    peer-id {
        2;
    }
}
services-redundancy-group 1 {
    deployment-type routing;
    peer-id {
        2;
    }
    activeness-probe {
        dest-ip {
            10.111.0.1;
            src-ip 10.11.0.1;
        }
    }
    monitor {
        bfd-liveliness 10.4.0.2 {
            src-ip 10.4.0.1;
            session-type singlehop;
            interface ge-0/0/4.0;
        }
    }
    active-signal-route {
        10.39.1.1;
    }
    backup-signal-route {
        10.39.1.2;
    }
    preemption;
    activeness-priority 200;
}
content_copy zoom_out_map
[edit]
user@host# show security ike
proposal MNHA_IKE_PROP  {
    description mnha_link_encr_tunnel;
    authentication-method pre-shared-keys;
    dh-group group14;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600;
}
policy MNHA_IKE_POL  {
    description mnha_link_encr_tunnel;
    proposals MNHA_IKE_PROP ;
    pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway MNHA_IKE_GW {
    ike-policy MNHA_IKE_POL ;
    version v2-only;
}
content_copy zoom_out_map
[edit]
user@host# show security ipsec
proposal MNHA_IPSEC_PROP {
    description mnha_link_encr_tunnel;
    protocol esp;
    encryption-algorithm aes-256-gcm;
    lifetime-seconds 3600;
}
policy MNHA_IPSEC_POL {
    description mnha_link_encr_tunnel;
    proposals MNHA_IPSEC_PROP;
}
vpn IPSEC_VPN_ICL {
    ha-link-encryption;
    ike {
        gateway MNHA_IKE_GW;
        ipsec-policy MNHA_IPSEC_POL;
    }
}
content_copy zoom_out_map
[edit]
user@host# show policy-options
policy-statement mnha-route-policy {
    term 1 {
        from {
            protocol [ static direct ];
            condition active_route_exists;
        }
        then {
            metric 10;
            accept;
        }
    }
    term 2 {
        from {
            protocol [ static direct ];
            condition backup_route_exists;
        }
        then {
            metric 20;
            accept;
        }
    }
    term 3 {
        from protocol [ static direct ];
        then {
            metric 30;
            accept;
        }
    }
    term default {
        then reject;
    }
}
condition active_route_exists {
    if-route-exists {
        address-family {
            inet {
                10.39.1.1/32;
                table inet.0;
            }
        }
    }
}
condition backup_route_exists {
    if-route-exists {
        address-family {
            inet {
                10.39.1.2/32;
                table inet.0;
            }
        }
    }
}
content_copy zoom_out_map
[edit]
user@host# show routing-options
autonomous-system 65000;
static {
    route 10.1.0.0/16 next-hop 10.2.0.1;
    route 10.6.0.0/16 next-hop 10.4.0.2;
    route 10.111.0.1/32 next-hop 10.2.0.1;
    route 10.111.0.2/32 next-hop 10.4.0.2;
}
content_copy zoom_out_map
[edit]
user@host# show security zones security-zone
   security-zone untrust {
    host-inbound-traffic {
        system-services {
            ike;
            ping;
        }
        protocols {
            bfd;
            bgp;
        }
    }
    interfaces {
        ge-0/0/4.0;
        lo0.0;
    }
}
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/3.0;
    }
}
security-zone halink {
    host-inbound-traffic {
        system-services {
            ike;
            ping;
            high-availability;
            ssh;
        }
        protocols {
            bfd;
            bgp;
        }
    }
    interfaces {
        ge-0/0/2.0;
    }
}
content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-0/0/2 {
    description ha_link;
    unit 0 {
        family inet {
            address 10.22.0.1/24;
        }
    }
}
ge-0/0/3 {
    description trust;
    unit 0 {
        family inet {
            address 10.2.0.2/16;
        }
    }
}
ge-0/0/4 {
    description untrust;
    unit 0 {
        family inet {
            address 10.4.0.1/16;
        }
    }
}
lo0 {
    description untrust;
    unit 0 {
        family inet {
            address 10.11.0.1/32;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Results (SRX-2)

From configuration mode, confirm your configuration by entering the following commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show chassis high-availability
local-id 2 local-ip 10.22.0.2;
peer-id 1 {
    peer-ip 10.22.0.1;
    interface ge-0/0/2.0;
    vpn-profile IPSEC_VPN_ICL;
    liveness-detection {
        minimum-interval 400;
        multiplier 5;
    }
}
services-redundancy-group 0 {
    peer-id {
        1;
    }
}
services-redundancy-group 1 {
    deployment-type routing;
    peer-id {
        1;
    }
    activeness-probe {
        dest-ip {
            10.111.0.1;
            src-ip 10.11.0.1;
        }
    }
    monitor {
        bfd-liveliness 10.5.0.2 {
            src-ip 10.5.0.1;
            session-type singlehop;
            interface ge-0/0/4.0;
        }
    }
    active-signal-route {
        10.39.1.1;
    }
    backup-signal-route {
        10.39.1.2;
    }
    activeness-priority 1;
}
content_copy zoom_out_map
[edit]
user@host# show security ike
proposal MNHA_IKE_PROP  {
    description mnha_link_encr_tunnel;
    authentication-method pre-shared-keys;
    dh-group group14;
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 3600;
}
policy MNHA_IKE_POL  {
    description mnha_link_encr_tunnel;
    proposals MNHA_IKE_PROP ;
    pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway MNHA_IKE_GW {
    ike-policy MNHA_IKE_POL ;
    version v2-only;
}
content_copy zoom_out_map
[edit]
user@host# show security ipsec
proposal MNHA_IPSEC_PROP {
    description mnha_link_encr_tunnel;
    protocol esp;
    encryption-algorithm aes-256-gcm;
    lifetime-seconds 3600;
}
policy MNHA_IPSEC_POL {
    description mnha_link_encr_tunnel;
    proposals MNHA_IPSEC_PROP;
}
vpn IPSEC_VPN_ICL {
    ha-link-encryption;
    ike {
        gateway MNHA_IKE_GW;
        ipsec-policy MNHA_IPSEC_POL;
    }
}
content_copy zoom_out_map
[edit]
user@host# show policy-options

route-filter-list loopback {
    10.11.0.0/24 orlonger;
}
route-filter-list ipsec {
    10.6.0.0/16 orlonger;
}
policy-statement mnha-route-policy {
    term 1 {
        from {
            protocol [ static direct ];
            condition active_route_exists;
        }
        then {
            metric 10;
            accept;
        }
    }
    term 2 {
        from {
            protocol [ static direct ];
            condition backup_route_exists;
        }
        then {
            metric 20;
            accept;
        }
    }
    term 3 {
        from protocol [ static direct ];
        then {
            metric 35;
            accept;
        }
    }
    term default {
        then reject;
    }
}
condition active_route_exists {
    if-route-exists {
        address-family {
            inet {
                10.39.1.1/32;
                table inet.0;
            }
        }
    }
}
condition backup_route_exists {
    if-route-exists {
        address-family {
            inet {
                10.39.1.2/32;
                table inet.0;
            }
        }
    }
}
content_copy zoom_out_map
[edit]
user@host# show routing-options
autonomous-system 65000;
static {
    route 10.1.0.0/16 next-hop 10.3.0.1;
    route 10.6.0.0/16 next-hop 10.5.0.2;
    route 10.111.0.1/32 next-hop 10.3.0.1;
    route 10.111.0.2/32 next-hop 10.5.0.2;
}
content_copy zoom_out_map
[edit]
user@host# show security zones 
    security-zone untrust {
    host-inbound-traffic {
        system-services {
            ike;
            ping;
        }
        protocols {
            bfd;
            bgp;
        }
    }
    interfaces {
        ge-0/0/4.0;
        lo0.0;
    }
}
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/3.0;
    }
}
security-zone halink {
    host-inbound-traffic {
        system-services {
            ike;
            ping;
            high-availability;
            ssh;
        }
        protocols {
            bfd;
            bgp;
        }
    }
    interfaces {
        ge-0/0/2.0;
    }
}
content_copy zoom_out_map
[edit]
user@host# show interfaces
root@10.52.45.4# show interfaces
ge-0/0/2 {
    description ha_link;
    unit 0 {
        family inet {
            address 10.22.0.2/24;
        }
    }
}
ge-0/0/3 {
    description trust;
    unit 0 {
        family inet {
            address 10.3.0.2/16;
        }
    }
}
ge-0/0/4 {
    description untrust;
    unit 0 {
        family inet {
            address 10.5.0.1/16;
        }
    }
}
lo0 {
    description untrust;
    unit 0 {
        family inet {
            address 10.11.0.1/32;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

On your security devices, you'll get the following message that asks you to reboot the device:
content_copy zoom_out_map
user@host# commit
warning: High Availability Mode changed, please reboot the device to avoid undesirable behavior
commit complete

Verification

Confirm that the configuration is working properly.

Check Multinode High Availability Details

Purpose

View and verify the details of the Multinode High Availability setup configured on your security device.

Action

From operational mode, run the following command:

On SRX-1

content_copy zoom_out_map
user@host> show chassis high-availability information 
Node failure codes:
    HW  Hardware monitoring    LB  Loopback monitoring
    MB  Mbuf monitoring        SP  SPU monitoring
    CS  Cold Sync monitoring   SU  Software Upgrade

Node Status: ONLINE
Local-id: 1
Local-IP: 10.22.0.1
HA Peer Information:

    Peer Id: 2        IP address: 10.22.0.2     Interface: ge-0/0/2.0
    Routing Instance: default
    Encrypted: YES    Conn State: UP
    Cold Sync Status: COMPLETE

Services Redundancy Group: 0
        Current State: ONLINE
        Peer Information:
          Peer Id: 2

SRG failure event codes:
    BF  BFD monitoring
    IP  IP monitoring
    IF  Interface monitoring
    CP  Control Plane monitoring

Services Redundancy Group: 1
        Deployment Type: ROUTING
        Status: ACTIVE
        Activeness Priority: 200
        Preemption: ENABLED
        Process Packet In Backup State: NO
        Control Plane State: READY
        System Integrity Check: N/A
        Failure Events: NONE
        Peer Information:
          Peer Id: 2
          Status : BACKUP
          Health Status: HEALTHY
          Failover Readiness: READY

On SRX-2

content_copy zoom_out_map
user@host> show chassis high-availability information 
Node failure codes:
    HW  Hardware monitoring    LB  Loopback monitoring
    MB  Mbuf monitoring        SP  SPU monitoring
    CS  Cold Sync monitoring   SU  Software Upgrade

Node Status: ONLINE
Local-id: 2
Local-IP: 10.22.0.2
HA Peer Information:

    Peer Id: 1        IP address: 10.22.0.1     Interface: ge-0/0/2.0
    Routing Instance: default
    Encrypted: YES    Conn State: UP
    Cold Sync Status: COMPLETE

Services Redundancy Group: 0
        Current State: ONLINE
        Peer Information:
          Peer Id: 1

SRG failure event codes:
    BF  BFD monitoring
    IP  IP monitoring
    IF  Interface monitoring
    CP  Control Plane monitoring

Services Redundancy Group: 1
        Deployment Type: ROUTING
        Status: BACKUP
        Activeness Priority: 1
        Preemption: DISABLED
        Process Packet In Backup State: NO
        Control Plane State: READY
        System Integrity Check: COMPLETE
        Failure Events: NONE
        Peer Information:
          Peer Id: 1
          Status : ACTIVE
          Health Status: HEALTHY
          Failover Readiness: N/A

Meaning

Verify these details from the command output:

  • Local node and peer node details such as IP address and ID.

  • The field Encrypted: YES indicates that the traffic is protected.

  • The field Deployment Type: ROUTING indicates a Layer 3 mode configuration—that is, the network has routers on both sides.

  • The field Services Redundancy Group: 1 indicates the status of the SRG1 (ACTIVE or BACKUP) on that node.

Check Multinode High Availability Peer Node Status

Purpose

View and verify the peer node details.

Action

From operational mode, run the following command:

SRX-1

content_copy zoom_out_map
user@host> user@host> show chassis high-availability peer-info 
HA Peer Information:

   Peer-ID: 2        IP address: 10.22.0.2     Interface: ge-0/0/2.0
   Routing Instance: default
   Encrypted: YES    Conn State: UP
   Cold Sync Status: COMPLETE
   Internal Interface: st0.16000
   Internal Local-IP: 180.100.1.1
   Internal Peer-IP: 180.100.1.2
   Internal Routing-instance: __juniper_private1__
Packet Statistics:
        Receive Error : 0        Send Error : 0

        Packet-type            Sent       Received

        SRG Status Msg           4           4

        SRG Status Ack            4           3

        Attribute Msg             4           2

        Attribute Ack             2           2

SRX-2

content_copy zoom_out_map
user@host> show chassis high-availability peer-info 
HA Peer Information:

   Peer-ID: 1        IP address: 10.22.0.1     Interface: ge-0/0/2.0
   Routing Instance: default
   Encrypted: YES    Conn State: UP
   Cold Sync Status: COMPLETE
   Internal Interface: st0.16000
   Internal Local-IP: 180.100.1.2
   Internal Peer-IP: 180.100.1.1
   Internal Routing-instance: __juniper_private1__
Packet Statistics:
        Receive Error : 0        Send Error : 0

        Packet-type            Sent       Received

        SRG Status Msg           4           3

        SRG Status Ack            3           4

        Attribute Msg             3           2

        Attribute Ack             2           2

Meaning

Verify these details from the command output:

  • Peer node details such as interface used, IP address, and ID

  • Encryption status, connection status, and cold synchronization status

  • Packet statistics across the node.

Check Multinode High Availability Service Redundancy Groups

Purpose

Verify that the SRGs are configured and working correctly.

Action

From operational mode, run the following command:

For SRG0:

content_copy zoom_out_map
user@host> show chassis high-availability services-redundancy-group 0
Services Redundancy Group: 0
        Current State: ONLINE
        Peer Information:
          Peer Id: 2

For SRG1:

content_copy zoom_out_map
user@host> show chassis high-availability services-redundancy-group 1  
SRG failure event codes:
    BF  BFD monitoring
    IP  IP monitoring
    IF  Interface monitoring
    CP  Control Plane monitoring

Services Redundancy Group: 1
        Deployment Type: ROUTING
        Status: ACTIVE
        Activeness Priority: 200
        Preemption: ENABLED
        Process Packet In Backup State: NO
        Control Plane State: READY
        System Integrity Check: N/A
        Failure Events: NONE
        Peer Information:
          Peer Id: 2
          Status : BACKUP
          Health Status: HEALTHY
          Failover Readiness: READY

        Signal Route Info:
          Active Signal Route:
          IP: 10.39.1.1
          Routing Instance: default
          Status: INSTALLED

          Backup Signal Route:
          IP: 10.39.1.2
          Routing Instance: default
          Status: NOT INSTALLED

        Split-brain Prevention Probe Info:
          DST-IP: 10.111.0.1
          SRC-IP: 10.11.0.1
          Routing Instance: default
          Status: NOT RUNNING
          Result: N/A           Reason: N/A


        BFD Monitoring:
          Status: UP

          SRC-IP: 10.4.0.1     DST-IP: 10.4.0.2
          Routing Instance: default
          Type: SINGLE-HOP
              IFL Name: ge-0/0/4.0
          State: UP

Meaning

Verify these details from the command output:

  • Peer node details such as deployment type, status, and active and back up signal routes.

  • Virtual IP Information such as IP address and virtual MAC address.

  • IP monitoring and BFD monitoring status.

Verify the Multinode High Availability Status Before and After Failover

Purpose

Check the change in node status before and after failover in a Multinode High Availability setup.

Action

To check the Multinode High Availability status on the backup node (SRX-2), run the following command from operational mode:

content_copy zoom_out_map
user@host> show chassis high-availability information
Node failure codes:
    HW  Hardware monitoring    LB  Loopback monitoring
    MB  Mbuf monitoring        SP  SPU monitoring
    CS  Cold Sync monitoring   SU  Software Upgrade

Node Status: ONLINE
Local-id: 2
Local-IP: 10.22.0.2
HA Peer Information:

    Peer Id: 1        IP address: 10.22.0.1     Interface: ge-0/0/2.0
    Routing Instance: default
    Encrypted: YES    Conn State: UP
    Cold Sync Status: COMPLETE

Services Redundancy Group: 0
        Current State: ONLINE
        Peer Information:
          Peer Id: 1

SRG failure event codes:
    BF  BFD monitoring
    IP  IP monitoring
    IF  Interface monitoring
    CP  Control Plane monitoring

Services Redundancy Group: 1
        Deployment Type: ROUTING
        Status: BACKUP
        Activeness Priority: 1
        Preemption: DISABLED
        Process Packet In Backup State: NO
        Control Plane State: READY
        System Integrity Check: COMPLETE
        Failure Events: NONE
        Peer Information:
          Peer Id: 1
          Status : ACTIVE
          Health Status: HEALTHY
          Failover Readiness: N/A

Under the Services Redundancy Group: 1 section, you can see the Status: BACKUP field. This field value indicates that the status of SRG 1 is backup.

Initiate the failover on the active node (SRX-1 device) and again run the command on the backup node (SRX-2 device).

content_copy zoom_out_map
user@host> show chassis high-availability information
Node failure codes:
    HW  Hardware monitoring    LB  Loopback monitoring
    MB  Mbuf monitoring        SP  SPU monitoring
    CS  Cold Sync monitoring   SU  Software Upgrade

Node Status: ONLINE
Local-id: 2
Local-IP: 10.22.0.2
HA Peer Information:

    Peer Id: 1        IP address: 10.22.0.1     Interface: ge-0/0/2.0
    Routing Instance: default
    Encrypted: YES    Conn State: DOWN
    Cold Sync Status: IN PROGRESS

Services Redundancy Group: 0
        Current State: ONLINE
        Peer Information:
          Peer Id: 1

SRG failure event codes:
    BF  BFD monitoring
    IP  IP monitoring
    IF  Interface monitoring
    CP  Control Plane monitoring

Services Redundancy Group: 1
        Deployment Type: ROUTING
        Status: ACTIVE
        Activeness Priority: 1
        Preemption: DISABLED
        Process Packet In Backup State: NO
        Control Plane State: READY
        System Integrity Check: N/A
        Failure Events: NONE
        Peer Information:
          Peer Id: 1
          Status : BACKUP
          Health Status: HEALTHY
          Failover Readiness: READY

Note that under the Services Redundancy Group: 1 section, the status of SRG1 has changed from BACKUP to ACTIVE.

You can also see peer node details under the Peer Information section. The output shows the status of peer as BACKUP.

Verify Interchassis Link (ICL) Encryption Status

Purpose

Verify the interchassis link (ICL) status.

Action

From operational mode, run the following command:

content_copy zoom_out_map
user@host> show security ipsec security-associations ha-link-encryption detail
ID: 495001 Virtual-system: root, VPN Name: IPSEC_VPN_ICL
  Local Gateway: 10.22.0.1, Remote Gateway: 10.22.0.2
  Traffic Selector Name: __IPSEC_VPN_ICL__multi_node__
  Local Identity: ipv4(180.100.1.1-180.100.1.1)
  Remote Identity: ipv4(180.100.1.2-180.100.1.2)
  TS Type: traffic-selector
  Version: IKEv2
  PFS group: N/A
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Tunnel MTU: 0, Policy-name: MNHA_IPSEC_POL
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
  HA Link Encryption Mode: Multi-Node
  Location: FPC -, PIC -, KMD-Instance -
  Anchorship: Thread -
  Distribution-Profile: default-profile
  Direction: inbound, SPI: 0x0005a7ec, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3597 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2900 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    Location: FPC 0, PIC 0, KMD-Instance 0
    Anchorship: Thread 0
    IKE SA Index: 4294966273
  Direction: outbound, SPI: 0x000a2aba, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3597 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2900 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    Location: FPC 0, PIC 0, KMD-Instance 0
    Anchorship: Thread 0
    IKE SA Index: 4294966273

Meaning

The command output provides the following information:

  • The local gateway and remote gateway details.

  • The IPsec SA pair for each threads in PIC.

  • HA link encryption mode (as shown in the following line):

    content_copy zoom_out_map
    HA Link Encryption Mode: Multi-Node

  • Authentication and encryption algorithms used

    CAUTION:

    The IP range (180.100.1.x) shown in the command output serves as the ICL IPsec traffic selector. The system dynamically assigns this IP range, and it is essential not to alter or modify it. Additionally, BFD (Bidirectional Forwarding Detection) will be automatically enabled for the broader 180.x.x.x IP range.

Verify Link Encryption Tunnel Statistics

Purpose

Verify link encryption tunnel statistics on both active and backup nodes.

Action

From operational mode, run the following command:

content_copy zoom_out_map
user@host> show security ipsec statistics ha-link-encryption
ESP Statistics:
  Encrypted bytes:           984248
  Decrypted bytes:           462519
  Encrypted packets:           9067
  Decrypted packets:           8797
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0
  Invalid SPI: 0, TS check fail: 0
  Exceeds tunnel MTU: 0
  Discarded: 0

Meaning

If you see packet loss issues across a VPN, you can run the show security ipsec statistics ha-link-encryption command several times to verify that the encrypted and decrypted packet counters are incrementing. You should also check whether the other error counters are incrementing.

Use the clear security ipsec security-associations ha-link-encryption command to clear all IPsec statistics.

Verify Interchassis Link Active Peers

Purpose

View only ICL active peers, but not regular IKE active peers.

Action

From operational mode, run the following command:

SRX-1

content_copy zoom_out_map
user@host> show security ike active-peer ha-link-encryption
Remote Address    Port       Peer IKE-ID           AAA username              Assigned IP
10.22.0.2         500        10.22.0.2             not available             0.0.0.0

SRX-2

content_copy zoom_out_map
user@host> show security ike active-peer ha-link-encryption
Remote Address     Port     Peer IKE-ID         AAA username                Assigned IP
10.22.0.1          500      10.22.0.1           not available               0.0.0.0

Meaning

Command output displays only the active peer of the ICL with details such as the peer addresses and ports the active peer is using.

See Also

arrow_backward PREVIOUS Asymmetric Traffic Flow Support in Multinode High Availability
NEXT arrow_forward Example: Configure Multinode High Availability in a Default Gateway Deployment
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top