Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Inter-Chassis Stateful Synchronization for Long Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services

Inter-Chassis Stateful Synchronization Overview

Stateful synchronization replicates the state of long-lived NAT, stateful firewall, and IDS sessions on the primary services PIC and sends it to the backup services PIC, which is on a different MX Series chassis. By default, long lived sessions are defined as having been active on the services PIC for at least 180 seconds, though you can configure this to a higher value.

The following restrictions apply:

  • NAPT44 is the only translation type supported.

Replicating state information for the port block allocation (PBA), endpoint-independent mapping (EIM), or endpoint-independent filters (EIF) features are supported supported for Next Gen Services.

When configuring a service set for NAT, stateful firewall, or IDS that belongs to a stateful synchronization setup, you must use a next-hop service set, and the NAT, stateful firewall, and IDS configurations for the service set must be identical on both MX Series chassis.

Figure 1 shows the stateful synchronization topology.

Figure 1: Stateful Sync TopologyStateful Sync Topology

Benefits

Interchassis stateful synchronization of the services session state allows uninterrupted services when a switchover occurs from a services PIC on one chassis to a services PIC on another chassis.

Configuring Inter-Chassis Stateful Synchronization for Long- Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services

Configuring Inter-Chassis Stateful Synchronization for Next Gen Services with non-AMS Interface

To configure stateful synchronization inter-chassis high availability for NAT, stateful firewall, and IDS flows for Next Gen Services when the services interfaces are not AMS, perform the following configuration steps on each chassis of the high availability pair.

  1. Specify the IP address of the vms- interface. This address is used by the TCP channel between the HA pairs.

    For example:

    When you configure the other chassis, this is the address you use for the redundancy-peer ipaddress.

  2. Specify the IP address of the remote services interface. This address is used by the TCP channel between the HA pairs.

    For example:

    When you configure the other chassis, this is the address you use for the redundancy-local data-address.

  3. Configure the length of time that the flow remains active for replication, in seconds.

    For example:

  4. Configure a unit other than 0, and assign it the IP address of the local services interface that you configured with the redundancy-local data-address option.

    For example:

  5. For ease of management, we recommend you create a special routing instance with instance-type vrf to host the HA synchronization traffic between the MX Series high availability pair. Then specify the name of the special routing instance to apply to the HA synchronization traffic between the high availability pair.
  6. Configure the inside and outside interface units, which are used by the next-hop service set. Use different unit numbers for the inside and outside units, and do not use 0 or the unit number used in Step 4.

    For example:

  7. Configure the next-hop service set that contains the NAT rules, stateful firewall rules, or IDS screens. The service set must be configured identically on each chassis of the high availability pair. The NAT rules, stateful firewall rules, and IDS screens must also be configured identically on each chassis.

    For example:

  8. Repeat these steps for the other chassis of the high availability pair.

Configuring Inter-Chassis Stateful Synchronization for Next Gen Services with AMS Interface

To configure stateful synchronization inter-chassis high availability for NAT, stateful firewall, and IDS flows for Next Gen Services for an AMS services interface, perform the following configuration steps on each chassis of the high availability pair.

  1. Configure a services vms- interface for every member of the AMS interface:
    1. Specify the IP address of the vms- interface. This address is used by the TCP channel between the HA pairs.

      For example:

      When you configure the other chassis, this is the address you use for the redundancy-peer ipaddress.

    2. Specify the IP address of the remote services interface. This address is used by the TCP channel between the HA pairs.

      For example:

      When you configure the other chassis, this is the address you use for the redundancy-local data-address.

    3. Configure the length of time that the flow remains active for replication, in seconds.

      For example:

    4. Configure a unit other than 0, and assign it the IP address of the local services interface that you configured with the redundancy-local data-address option.

      For example:

    5. For ease of management, we recommend you create a special routing instance with instance-type vrf to host the HA synchronization traffic between the MX Series high availability pair. Then specify the name of the special routing instance to apply to the HA synchronization traffic between the high availability pair.
  2. Create the AMS interface and add the member interfaces you configured in Step 1.

    where the interface-name is amsN, and a is the FPC slot number and b is the PIC slot number for each member interface.

    For example:

  3. Configure the inside interface for the AMS interface, which is used by the next-hop service set:
    1. Configure the family for the inside interface. Do not use 0 for the unit number.

      For example:

    2. Configure the hash key to regulate distribution for the inside interface.
  4. Configure the outside interface for the AMS interface, which is used by the next-hop service set. Do not use 0 or the same unit number that you used for the inside interface.

    1. Configure the family for the outside interface.

      For example:

    2. Configure the hash key to regulate distribution for the outside interface.
  5. Configure the next-hop service set that contains the NAT rules, stateful firewall rules, or IDS screens. The service set must be configured identically on each chassis of the high availability pair. The NAT rules, stateful firewall rule, and IDS screens must also be configured identically on each chassis.

    For example:

  6. Repeat these steps for the other chassis of the high availability pair.