Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS High Availability User Guide Multinode High Availability

High Availability User Guide

keyboard_arrow_up
close
keyboard_arrow_left
High Availability User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Multinode High Availability in AWS Deployments

date_range 15-Apr-25
arrow_backward
arrow_forward

Read this topic to understand Multinode High Availability support for vSRX Virtual Firewall instances in Amazon Web Services (AWS) deployments.

Multinode High Availability in AWS

You can configure Multinode High Availability on the vSRX Virtual Firewall firewalls deployed on AWS. Participating nodes run both active control and data planes at the same time and the nodes backup each other to ensure a fast synchronized failover in case of system or hardware failure. The interchassis link (ICL) connection between the two devices synchronizes and maintains the state information and handles device failover scenarios.

Let's begin by getting familiar with the Multinode High Availability terms specific to the AWS deployment.

Terminology

Term Description

Elastic IP address

 Public IPv4 address that is routable from a specified network or from the Internet. Elastic IP addresses are dynamically bound to an interface of any node in a Multinode High Availability setup. At any given time, these addresses are bound to only one interface and are also bound to the same node. The Multinode High Availability setup uses Elastic IP addresses to control the traffic in AWS deployments. Elastic IP address acts similar to floating IP address in the Layer 3 deployment or a virtual IP address as in the default gateway deployment. The node with an active SRG1 owns the Elastic IP address and draws the traffic toward it.

Interchassis link (ICL)

IP-based link (logical link) that connects nodes over a routed network in a Multinode High Availability system. The security device uses the ICL to synchronize and maintain the state information and to handle device failover scenarios. You can use only the ge-0/0/0 interface to configure an ICL. The ICL uses the MAC address assigned by AWS (not the virtual MAC created by vSRX Virtual Firewall). When you configure the ICL, ensure that the IP address is a subnet of of the virtual private cloud (VPC). Note that Multibode High Availability does not support cross-VPC deployment
Juniper Services Redundancy Protocol (jsrpd) process

Process that manages activeness determination and enforcement, and provide split-brain protection.

IPsec VPN Support

Starting in Junos OS Release 24.4R1, we support IPsec VPN for active/backup Multinode High Availability in AWS deployments.

Limitation

Multinode High Availability doesn’t support multiple SRG configurations (active/active) in public cloud deployments. Active/backup mode supports SRG0 and SRG1. IPsec VPN tunnel anchors at the SRG1, which works in a stateful active/backup mode. All VPN tunnels terminate on the device where the SRG1 is active.

Architecture

Figure 1 shows two vSRX Virtual Firewall instances form an HA pair in the Multinode High Availability deployment in AWS. One vSRX Virtual Firewall instance acts as the active node and the other as the backup node.

Figure 1: Public Cloud DeploymentPublic Cloud Deployment

In a Multinode High Availability setup, an ICL connects the two nodes (vSRX Virtual Firewall instances) and helps synchronize the control-plane and data-plane states.

In Multinode High Availability setup, two vSRX Virtual Firewall instances are operating in active/backup mode. Both nodes connect to each other using an ICL for synchronizing control and data plane states. The vSRX Virtual Firewall instance on which the SRG1 is active hosts the Elastic IP address. The active node steers traffic toward it using the Elastic IP address. The backup node remains in standby mode and takes over on failover.

The Juniper Services Redundancy Protocol (jsrpd) process communicates with the AWS infrastructure to perform activeness determination and enforcement and provides split-brain protection.

During a failover, the Elastic IP address moves from the old active node to the new active node by triggering the AWS SDK API and draws traffic toward the new active node. AWS updates the route tables to divert the traffic to the new active node. This mechanism enables clients to communicate with the nodes using a single IP address. You configure the Elastic IP address on the interface that connects to participating networks/segments.

Split-Brain Protection

When the ICL between two nodes goes down, each node starts pinging to the peer node’s interface IP address using the probes. If the peer node is healthy, it responds to the probes. Otherwise, the jsrpd process communicates with the AWS infrastructure to enforce the active role for the healthy node.

Example: Configure Multinode High Availability in AWS Deployment

In this example, we'll show you how to configure Multinode High Availability on two vSRX Virtual Firewall instances in the Amazon Virtual Private Cloud (Amazon VPC).

Requirements

This example uses the following components:

Topology

Figure 2 shows the topology used in this example.

Figure 2: Multinode High Availability in AWS DeploymentMultinode High Availability in AWS Deployment

As shown in the topology, two vSRX Virtual Firewall instances (vSRX Virtual Firewall-1 and vSRX Virtual Firewall-2) are deployed in the Amazon VPC. The nodes communicate with each other using a routable IP address (Elastic IP address). The untrust side connects to a public network while the trust side connects to the protected resources.

Complete the following configurations before configuring Multinode High Availability on the vSRX Virtual Firewall instances:

  • Use instance tag in AWS to identify the two vSRX Virtual Firewall instances as Multinode High Availability peers. For example, you can use vsrx-node-1 as the name of one peer (Name option) and vsrx-node-2 as the HA peer (ha-peer option).

  • Deploy both vSRX Virtual Firewall instances in the same Amazon VPC and availability zone.
  • Assign IAM role for both the vSRX Virtual Firewall instances and launch vSRX Virtual Firewall instances as a Amazon Elastic Compute Cloud (EC2) instance with full permissions.
  • Enable communication to the Internet by placing vSRX Virtual Firewall instances in the public subnet. In the Amazon VPC, public subnets have access to the Internet gateway.
  • Configure a VPC with multiple subnets to host the high availability pair. The subnets are used to connect the two vSRX Virtual Firewall nodes using a logical connection (similar to the physical cable connecting ports). In this example, we have defined CIDR for VPC as 10.0.0.0/16, and created a total of four subnets to host the vSRX Virtual Firewall traffic. You need a minimum of four interfaces for both vSRX Virtual Firewall instances. Table 1 provides the subnet and interface details.
    Table 1: Subnets Configurations
    Function Port Number Interface Connection Traffic Type Subnet
    Management 0 fxp0 Management interface Management traffic 10.0.254.0/24
    ICL 1 ge-0/0/0 ICL to peer node RTO, sync, and probes-related traffic 10.0.253.0/24
    Public 2 ge-0/0/1 Connect to public network. (Revenue interface) External traffic 10.0.1.0/24
    Private 3 ge-0/0/2 Connect to private network. (Revenue interface) Internal traffic 10.0.2.0/24

    Note that the interface mapping with functionality mentioned in the table is for default configuration. We recommend to use the same mapping in the configuration.

  • Configure interfaces with primary and secondary IP addresses. You can assign Elastic IP address as secondary IP addresses for an interface. You need the primary IP address while launching the instance. The secondary IP address is transferable from one vSRX Virtual Firewall node to another during a failover. Table 2 shows interface and IP address mappings used in this example.
    Table 2: Interface and IP Address Mappings
    Instance Interface Primary IP Address Secondary IP Address (Elastic IP Address)
    vSRX Virtual Firewall-1 ge-0/0/1 10.0.1.101 10.0.1.103
    ge-0/0/2 10.0.2.201 10.0.2.203
    vSRX Virtual Firewall-2 ge-0/0/1 10.0.1.102 10.0.1.103
    ge-0/0/2 10.0.2.202 10.0.2.203

  • Configure neighboring routers to include vSRX Virtual Firewall in the data path and mark vSRX Virtual Firewall as the next hop for the traffic. You can use an Elastic IP address to configure the route. For example, use the command sudo ip route x.x.x.x/x dev ens6 via 10.0.2.203, where the 10.0.2.203 address is an Elastic IP address.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

These configurations are captured from a lab environment, and are provided for reference only. Actual configurations may vary based on the specific requirements of your environment.

On vSRX Virtual Firewall-1

content_copy zoom_out_map
set chassis high-availability local-id 1
set chassis high-availability local-id local-ip 10.0.3.10
set chassis high-availability peer-id 2 peer-ip 10.0.3.11
set chassis high-availability peer-id 2 interface ge-0/0/0.0
set chassis high-availability peer-id 2 liveness-detection minimum-interval 400
set chassis high-availability peer-id 2 liveness-detection multiplier 5
set chassis high-availability services-redundancy-group 1 deployment-type cloud
set chassis high-availability services-redundancy-group 1 peer-id 2
set chassis high-availability services-redundancy-group 1 preemption
set chassis high-availability services-redundancy-group 1 activeness-priority 200
set security policies default-policy permit-all
set security zones security-zone fab host-inbound-traffic system-services all
set security zones security-zone fab host-inbound-traffic protocols all
set security zones security-zone fab interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/2.0
set security cloud high-availability aws eip-based
set security cloud high-availability aws peer-liveliness probe-ip 10.0.1.102
set security cloud high-availability aws peer-liveliness probe-ip routing-instance s1-router
set interfaces ge-0/0/0 mtu 9192
set interfaces ge-0/0/0 unit 0 family inet address 10.0.3.10/24
set interfaces ge-0/0/1 mtu 9192
set interfaces ge-0/0/1 unit 0 family inet address 10.0.1.101/24 primary
set interfaces ge-0/0/1 unit 0 family inet address 10.0.1.103/24
set interfaces ge-0/0/2 mtu 9192
set interfaces ge-0/0/2 unit 0 family inet address 10.0.2.201/24 primary
set interfaces ge-0/0/2 unit 0 family inet address 10.0.2.203/24
set routing-instances s1-router instance-type virtual-router
set routing-instances s1-router routing-options static route 0.0.0.0/0 next-hop 10.0.1.1
set routing-instances s1-router interface ge-0/0/1.0
set routing-instances s1-router interface ge-0/0/2.0

On vSRX Virtual Firewall-2

content_copy zoom_out_map
set chassis high-availability local-id 2
set chassis high-availability local-id local-ip 10.0.3.11
set chassis high-availability peer-id 1 peer-ip 10.0.3.10
set chassis high-availability peer-id 1 interface ge-0/0/0.0
set chassis high-availability peer-id 1 liveness-detection minimum-interval 400
set chassis high-availability peer-id 1 liveness-detection multiplier 5
set chassis high-availability services-redundancy-group 1 deployment-type cloud
set chassis high-availability services-redundancy-group 1 peer-id 1
set chassis high-availability services-redundancy-group 1 preemption
set chassis high-availability services-redundancy-group 1 activeness-priority 100
set security policies default-policy permit-all
set security zones security-zone fab host-inbound-traffic system-services all
set security zones security-zone fab host-inbound-traffic protocols all
set security zones security-zone fab interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/2.0
set security cloud high-availability aws eip-based
set security cloud high-availability aws peer-liveliness probe-ip 10.0.1.101
set security cloud high-availability aws peer-liveliness probe-ip routing-instance s1-router
set interfaces ge-0/0/0 mtu 9192
set interfaces ge-0/0/0 unit 0 family inet address 10.0.3.11/24
set interfaces ge-0/0/1 mtu 9192
set interfaces ge-0/0/1 unit 0 family inet address 10.0.1.102/24 primary
set interfaces ge-0/0/1 unit 0 family inet address 10.0.1.103/24
set interfaces ge-0/0/2 mtu 9192
set interfaces ge-0/0/2 unit 0 family inet address 10.0.2.202/24 primary
set interfaces ge-0/0/2 unit 0 family inet address 10.0.2.203/24
set routing-instances s1-router instance-type virtual-router
set routing-instances s1-router routing-options static route 0.0.0.0/0 next-hop 10.0.1.1
set routing-instances s1-router interface ge-0/0/1.0
set routing-instances s1-router interface ge-0/0/2.0

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure ge-0/0/0 as the interface for the ICL

    content_copy zoom_out_map
    [edit]
user@host# set interfaces ge-0/0/0 mtu 9192
user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.0.3.11/24
  2. Configure interfaces for internal and external traffic.
    content_copy zoom_out_map
    [edit]
user@host# set interfaces ge-0/0/1 mtu 9192
user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.0.1.102/24 primary
user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.0.1.103/24
user@host# set interfaces ge-0/0/2 mtu 9192
user@host# set interfaces ge-0/0/2 unit 0 family inet address 10.0.2.202/24 primary
user@host# set interfaces ge-0/0/2 unit 0 family inet address 10.0.2.203/24

    We'll use the secondary IP address assigned to ge-0/0/1 and ge-0/0/2 as Elastic IP address.

  3. Configure security zones, assign interfaces to the zones, and specify allowed system services for the security zones .

    content_copy zoom_out_map
    [edit] 
user@host# set security zones security-zone fab host-inbound-traffic system-services all
user@host# set security zones security-zone fab host-inbound-traffic protocols all
user@host# set security zones security-zone fab interfaces ge-0/0/0.0
user@host# set security zones security-zone untrust host-inbound-traffic system-services all
user@host# set security zones security-zone untrust host-inbound-traffic protocols all
user@host# set security zones security-zone untrust interfaces ge-0/0/1.0
user@host# set security zones security-zone trust host-inbound-traffic system-services all
user@host# set security zones security-zone trust host-inbound-traffic protocols all
user@host# set security zones security-zone trust interfaces ge-0/0/2.0

  4. Configure routing options.

    content_copy zoom_out_map
    [edit]
user@host# set routing-instances s1-router instance-type virtual-router
user@host# set routing-instances s1-router routing-options static route 0.0.0.0/0 next-hop 10.0.1.1
user@host# set routing-instances s1-router interface ge-0/0/1.0
user@host# set routing-instances s1-router interface ge-0/0/2.0

    Here, you'll require a separate routing instance type virtual router to separate management traffic and revenue traffic.

  5. Configure local node and peer node details.

    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability local-id 1
user@host# set chassis high-availability local-id local-ip 10.0.3.10
user@host# set chassis high-availability peer-id 2 peer-ip 10.0.3.11

  6. Associate the interface to the peer node for interface monitoring, and configure the liveness detection details.

    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability peer-id 2 interface ge-0/0/0.0
user@host# set chassis high-availability peer-id 2 liveness-detection minimum-interval 400
user@host# set chassis high-availability peer-id 2 liveness-detection multiplier 5

  7. Configure SRG1 with deployment type as cloud, assign an ID, and set preemption and activeness priority.

    content_copy zoom_out_map
    [edit]
user@host# set chassis high-availability services-redundancy-group 1 deployment-type cloud
user@host# set chassis high-availability services-redundancy-group 1 peer-id 2
user@host# set chassis high-availability services-redundancy-group 1 preemption
user@host# set chassis high-availability services-redundancy-group 1 activeness-priority 200

  8. Configure AWS deployment-related options. For example, specify eip-based as the service type and also, configure monitoring options such as AWS peer liveness.

    content_copy zoom_out_map
    [edit]
user@host# set security cloud high-availability aws eip-based
user@host# set security cloud high-availability aws peer-liveliness probe-ip 10.0.1.101
user@host# set security cloud high-availability aws peer-liveliness probe-ip routing-instance s1-router
Note:

In Multinode High Availability for vSRX Virtual Firewall instances in VMWare ESXi environment with VMXNET3 vNIC, configuration of virtual MAC address is not supported in the following statement:

content_copy zoom_out_map
[set chassis high-availability services-redundancy-group <number> virtual-ip <id> use-virtual-mac

Results

vSRX Virtual Firewall-1

From configuration mode, confirm your configuration by entering the following commands.

If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show chassis high-availability
local-id 1 local-ip 10.0.3.10;
peer-id 2 {
    peer-ip 10.0.3.11;
    interface ge-0/0/0.0;
    liveness-detection {
        minimum-interval 400;
        multiplier 5;
    }
}
services-redundancy-group 1 {
    deployment-type cloud;
    peer-id {
        2;
    }
    preemption;
    activeness-priority 200;
}
content_copy zoom_out_map
[edit]
user@host# show routing-instances
s1-router {
    instance-type virtual-router;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.0.1.1;
        }
    }
    interface ge-0/0/1.0;
    interface ge-0/0/2.0;
}
content_copy zoom_out_map
[edit]
user@host# show security zones security-zone
   security-zone fab {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/0.0;
    }
}
security-zone untrust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/1.0;
    }
}
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/2.0;
    }
}
content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-0/0/0 {
    mtu 9192;
    unit 0 {
        family inet {
            address 10.0.3.10/24;
        }
    }
}
ge-0/0/1 {
    mtu 9192;
    unit 0 {
        family inet {
            address 10.0.1.101/24 {
                primary;
            }
            address 10.0.1.103/24;
        }
    }
}
ge-0/0/2 {
    mtu 9192;
    unit 0 {
        family inet {
            address 10.0.2.201/24 {
                primary;
            }
            address 10.0.2.203/24;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

vSRX Virtual Firewall-2

From configuration mode, confirm your configuration by entering the following commands.

If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show chassis high-availability
local-id 2 local-ip 10.0.3.11;
peer-id 1 {
    peer-ip 10.0.3.10;
    interface ge-0/0/0.0;
    liveness-detection {
        minimum-interval 400;
        multiplier 5;
    }
}
services-redundancy-group 1 {
    deployment-type cloud;
    peer-id {
        1;
    }
    preemption;
    activeness-priority 100;
}
content_copy zoom_out_map
[edit]
user@host# show routing-instances
s1-router {
    instance-type virtual-router;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.0.1.1;
        }
    }
    interface ge-0/0/1.0;
    interface ge-0/0/2.0;
}
content_copy zoom_out_map
[edit]
user@host# show security zones
  security-zone fab {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/0.0;
    }
}
security-zone untrust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/1.0;
    }
}
security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        ge-0/0/2.0;
    }
}
content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-0/0/0 {
    mtu 9192;
    unit 0 {
        family inet {
            address 10.0.3.11/24;
        }
    }
}
ge-0/0/1 {
    mtu 9192;
    unit 0 {
        family inet {
            address 10.0.1.102/24 {
                primary;
            }
            address 10.0.1.103/24;
        }
    }
}
ge-0/0/2 {
    mtu 9192;
    unit 0 {
        family inet {
            address 10.0.2.202/24 {
                primary;
            }
            address 10.0.2.203/24;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

Check Multinode High Availability Details

Purpose

View and verify the details of the Multinode High Availability setup configured on your vSRX Virtual Firewall instance.

Action

From operational mode, run the following command:

vSRX Virtual Firewall-1

content_copy zoom_out_map
user@host> show chassis high-availability information 
            Node failure codes:
    HW  Hardware monitoring    LB  Loopback monitoring
    MB  Mbuf monitoring        SP  SPU monitoring
    CS  Cold Sync monitoring   SU  Software Upgrade

Node Status: ONLINE
Local-id: 1
Local-IP: 10.0.3.10
HA Peer Information:

    Peer Id: 2        IP address: 10.0.3.11     Interface: ge-0/0/0.0
    Routing Instance: default
    Encrypted: NO     Conn State: UP
    Cold Sync Status: COMPLETE

SRG failure event codes:
    BF  BFD monitoring
    IP  IP monitoring
    IF  Interface monitoring
    CP  Control Plane monitoring

Services Redundancy Group: 1
        Deployment Type: CLOUD
        Status: ACTIVE
        Activeness Priority: 200
        Preemption: ENABLED
        Process Packet In Backup State: NO
        Control Plane State: READY
        System Integrity Check: N/A
        Failure Events: NONE
        Peer Information:
          Peer Id: 2
          Status : BACKUP
          Health Status: HEALTHY
          Failover Readiness: NOT READY

vSRX Virtual Firewall-2

content_copy zoom_out_map
user@host> show chassis high-availability information 
Node failure codes:
    HW  Hardware monitoring    LB  Loopback monitoring
    MB  Mbuf monitoring        SP  SPU monitoring
    CS  Cold Sync monitoring   SU  Software Upgrade

Node Status: ONLINE
Local-id: 2
Local-IP: 10.0.3.11
HA Peer Information:

    Peer Id: 1        IP address: 10.0.3.10     Interface: ge-0/0/0.0
    Routing Instance: default
    Encrypted: NO     Conn State: UP
    Cold Sync Status: COMPLETE

SRG failure event codes:
    BF  BFD monitoring
    IP  IP monitoring
    IF  Interface monitoring
    CP  Control Plane monitoring

Services Redundancy Group: 1
        Deployment Type: CLOUD
        Status: BACKUP
        Activeness Priority: 100
        Preemption: ENABLED
        Process Packet In Backup State: NO
        Control Plane State: NOT READY
        System Integrity Check: COMPLETE
        Failure Events: NONE
        Peer Information:
          Peer Id: 1
          Status : ACTIVE
          Health Status: HEALTHY
          Failover Readiness: N/A

Meaning

Verify these details from the command output:

  • Local node and peer node details such as IP address and ID.

  • The field Deployment Type: CLOUD indicates that configuration is for the cloud deployment.

  • The field Services Redundancy Group: 1 indicates the status of the SRG1 (ACTIVE or BACKUP) on that node.

Check Multinode High Availability Information on AWS

Purpose

Check whether Multinode High Availability is deployed in AWS cloud.

Action

From operational mode, run the following command:

content_copy zoom_out_map
user@host> show security cloud high-availability information 
   Cloud HA Information:

    Cloud Type      Cloud Service Type   Cloud Service Status
    AWS             EIP                  Bind to Local Node

Meaning

Verify these details from the command output:

  • The field Cloud Type: AWS indicates the deployment is for AWS.

  • The field Cloud Service Type: EIP indicates that the the AWS deployment uses the EIP service type (for Elastic IP address) to control traffic.

  • The field Cloud Service Status: Bind to Local Node indicates the binding of the Elastic IP address to the local node. For the backup node, this field displays Bind to Peer Node.

    .

Check Multinode High Availability Peer Node Status

Purpose

Check the Multinode High Availability peer node status.

Action

From operational mode, run the following command:

vSRX Virtual Firewall-1

content_copy zoom_out_map
user@host> show chassis high-availability peer-info 
     HA Peer Information:

   Peer-ID: 2        IP address: 10.0.3.11     Interface: ge-0/0/0.0
   Routing Instance: default
   Encrypted: NO     Conn State: UP
   Cold Sync Status: COMPLETE
   Internal Interface: N/A
   Internal Local-IP: N/A
   Internal Peer-IP: N/A
   Internal Routing-instance: N/A
Packet Statistics:
        Receive Error : 0        Send Error : 0

        Packet-type            Sent       Received

        SRG Status Msg           7           6

        SRG Status Ack            6           7

        Attribute Msg             2           1

        Attribute Ack             1           1

vSRX Virtual Firewall-2

content_copy zoom_out_map
user@host> show chassis high-availability peer-info
HA Peer Information:

   Peer-ID: 1        IP address: 10.0.3.10     Interface: ge-0/0/0.0
   Routing Instance: default
   Encrypted: NO     Conn State: UP
   Cold Sync Status: COMPLETE
   Internal Interface: N/A
   Internal Local-IP: N/A
   Internal Peer-IP: N/A
   Internal Routing-instance: N/A
Packet Statistics:
        Receive Error : 0        Send Error : 0

        Packet-type            Sent       Received

        SRG Status Msg           9           9

        SRG Status Ack            9           9

        Attribute Msg             3           2

        Attribute Ack             2           2

Meaning

Verify these details from the command output:

  • Peer node details including ID, IP address, interface.

  • Packet statistics across the node.

Check Multinode High Availability SRG

Purpose

View and verify SRG details in Multinode High Availability.

Action

From operational mode, run the following command:

content_copy zoom_out_map
user@host> show chassis high-availability services-redundancy-group 1 
            SRG failure event codes:
    BF  BFD monitoring
    IP  IP monitoring
    IF  Interface monitoring
    CP  Control Plane monitoring

Services Redundancy Group: 1
        Deployment Type: CLOUD
        Status: ACTIVE
        Activeness Priority: 200
        Preemption: ENABLED
        Process Packet In Backup State: NO
        Control Plane State: READY
        System Integrity Check: N/A
        Failure Events: NONE
        Peer Information:
          Peer Id: 2
          Status : BACKUP
          Health Status: HEALTHY
          Failover Readiness: READY

        Split-brain Prevention Probe Info:
          DST-IP: 10.0.1.102
          SRC-IP: 0.0.0.0
          Routing Instance: s1-router
          Status: NOT RUNNING
          Result: N/A           Reason: N/A

Meaning

Verify these details from the command output:

  • SRG details such deployment type. The field Status: ACTIVE indicates that the particular SRG1 is in active role. You can also view activeness priority and preemption state in the output.

  • Peer node details.

  • Split-brain prevention probe details.

Verify the Multinode High Availability Status Before and After Failover

Purpose

Check the change in node status before and after a failover in a Multinode High Availability setup.

Action

Check the Multinode High Availability status on the backup node (SRX-2).

From operational mode, run the following command:

content_copy zoom_out_map
user@host> show chassis high-availability information 
            Node failure codes:
    HW  Hardware monitoring    LB  Loopback monitoring
    MB  Mbuf monitoring        SP  SPU monitoring
    CS  Cold Sync monitoring   SU  Software Upgrade

Node Status: ONLINE
Local-id: 2
Local-IP: 10.0.3.11
HA Peer Information:

    Peer Id: 1        IP address: 10.0.3.10     Interface: ge-0/0/0.0
    Routing Instance: default
    Encrypted: NO     Conn State: UP
    Cold Sync Status: COMPLETE

SRG failure event codes:
    BF  BFD monitoring
    IP  IP monitoring
    IF  Interface monitoring
    CP  Control Plane monitoring

Services Redundancy Group: 1
        Deployment Type: CLOUD
        Status: BACKUP
        Activeness Priority: 100
        Preemption: ENABLED
        Process Packet In Backup State: NO
        Control Plane State: NOT READY
        System Integrity Check: COMPLETE
        Failure Events: NONE
        Peer Information:
          Peer Id: 1
          Status : ACTIVE
          Health Status: HEALTHY
          Failover Readiness: N/A

Meaning

In Services Redundancy Group: 1 section, you can see the Status: BACKUP. This field indicates that the SRG-1 is in the backup mode.

Action

Initiate the failover on the active node (vSRX Virtual Firewall-1) and again run the command on the backup node (vSRX Virtual Firewall-2).

content_copy zoom_out_map
user@host> show chassis high-availability information
Node failure codes:
    HW  Hardware monitoring    LB  Loopback monitoring
    MB  Mbuf monitoring        SP  SPU monitoring
    CS  Cold Sync monitoring   SU  Software Upgrade

Node Status: ONLINE
Local-id: 2
Local-IP: 10.0.3.11
HA Peer Information:

    Peer Id: 1        IP address: 10.0.3.10     Interface: ge-0/0/0.0
    Routing Instance: default
    Encrypted: NO     Conn State: UP
    Cold Sync Status: COMPLETE

SRG failure event codes:
    BF  BFD monitoring
    IP  IP monitoring
    IF  Interface monitoring
    CP  Control Plane monitoring

Services Redundancy Group: 1
        Deployment Type: CLOUD
        Status: ACTIVE
        Activeness Priority: 100
        Preemption: ENABLED
        Process Packet In Backup State: NO
        Control Plane State: READY
        System Integrity Check: N/A
        Failure Events: NONE
        Peer Information:
          Peer Id: 1
          Status : BACKUP
          Health Status: HEALTHY
          Failover Readiness: NOT READY

Meaning

In the Services Redundancy Group: 1 section, the status of SRG1 changes from BACKUP to ACTIVE. The change in the field value indicates that the node has transitioned into the active role and the other node (previously active) has transitioned to the backup role. You can see the other node's status in the Peer Information option, which shows BACKUP.

See Also

arrow_backward PREVIOUS Multinode High Availability Support for vSRX Virtual Firewall Instances
NEXT arrow_forward Multinode High Availability in Azure Cloud
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top