close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Overview
- play_arrow Next Gen Services Overview
  - Next Gen Services Overview
- play_arrow Configuration Overview
- play_arrow Global System Logging Overview and Configuration
- play_arrow Next Gen Services SNMP MIBS and Traps
  - Next Gen Services SNMP MIBs and Traps
play_arrow Carrier Grade NAT (CGNAT)
- play_arrow Deterministic NAT Overview and Configuration
  - Deterministic NAPT Overview for Next Gen Services
  - Configuring Deterministic NAPT for Next Gen Services
- play_arrow Dynamic Address-Only Source NAT Overview and Configuration
  - Dynamic Address-Only Source Translation Overview
  - Configuring Dynamic Address-Only Source NAT for Next Gen Services
- play_arrow Network Address Port Translation Overview and Configuration
  - Network Address Port Translation (NAPT) Overview
  - Configuring Network Address Port Translation for Next Gen Services
  - Configuring Syslog Events for NAT Rule Conditions with Next Gen Services
- play_arrow NAT46
  - NAT46 Next Gen Services Configuration Examples
- play_arrow Stateful NAT64 Overview and Configuration
  - Stateful NAT64 Overview
  - IPv4 Addresses Embedded in IPv6 Addresses
  - Configuring Next Gen Services Stateful NAT64
- play_arrow IPv4 Connectivity Across IPv6-Only Network Using 464XLAT Overview and Configuration
  - 464XLAT Overview
  - IPv4 Addresses Embedded in IPv6 Addresses
  - Configuring 464XLAT Provider-Side Translator for IPv4 Connectivity Across IPv6-Only Network for Next Gen Services
- play_arrow IPv6 NAT Protocol Translation (NAT PT)
  - IPv6 NAT PT Overview
  - IPv6 NAT-PT Communication Overview
- play_arrow Stateless Source Network Prefix Translation for IPv6 Overview and Configuration
  - Stateless Source Network Prefix Translation for IPv6
- play_arrow Transitioning to IPv6 Using Softwires
  - 6rd Softwires in Next Gen Services
- play_arrow Transitioning to IPv6 Using DS-Lite Softwires
  - DS-Lite Softwires—IPv4 over IPv6 for Next Gen Services
  - Configuring Next Gen Services DS-Lite Softwires
  - DS-Lite Subnet Limitation
  - Protecting CGN Devices Against Denial of Service (DOS) Attacks
- play_arrow Reducing Traffic and Bandwidth Requirements Using Port Control Protocol
  - Port Control Protocol Overview
  - Configuring Port Control Protocol
- play_arrow Transitioning to IPv6 Using Mapping of Address and Port with Encapsulation (MAP-E)
  - Mapping of Address and Port with Encapsulation (MAP-E) for Next Gen Services
  - Equal Cost Multiple Path (ECMP) support for Mapping of Address and Port with Encapsulation (MAP-E)
- play_arrow Monitoring and Troubleshooting Softwires
  - Ping and Traceroute for DS-Lite
  - Monitoring Softwire Statistics
  - Monitoring CGN, Stateful Firewall, and Softwire Flows
- play_arrow Port Forwarding Overview and Configuration
  - Port Forwarding for Next Gen Services
- play_arrow Port Translation Features Overview and Configuration
  - Address Pooling and Endpoint Independent Mapping for Port Translation
  - Round-Robin Port Allocation
  - Secured Port Block Allocation for Port Translation
- play_arrow Static Source NAT Overview and Configuration
  - Static Source NAT Overview
  - Configuring Static Source NAT44 or NAT66 for Next Gen Services
- play_arrow Static Destination NAT Overview and Configuration
  - Static Destination NAT Overview
  - Configuring Static Destination NAT for Next Gen Services
- play_arrow Twice NAPT Overview and Configuration
  - Twice NAPT Overview
  - Configuring Twice NAPT for Next Gen Services
- play_arrow Twice NAT Overview and Configuration
  - Twice Static NAT Overview
  - Configuring Twice Static NAT44 for Next Gen Services
  - Twice Dynamic NAT Overview
  - Configuring Twice Dynamic NAT for Next Gen Services
- play_arrow Class of Service Overview and Configuration
  - Class of Service for Services PICs (Next Gen Services)
play_arrow Stateful Firewall Services
- play_arrow Stateful Firewall Services Overview and Configuration
  - Stateful Firewall Overview for Next Gen Services
  - Configuring Stateful Firewalls for Next Gen Services
play_arrow Intrusion Detection Services
- play_arrow IDS Screens for Network Attack Protection Overview and Configuration
play_arrow Traffic Load Balancing
- play_arrow Traffic Load Balancing Overview and Configuration
  - Traffic Load Balancer Overview
  - Configuring TLB
play_arrow DNS Request Filtering
- play_arrow DNS Request Filtering Overview and Configuration
  - DNS Request Filtering for Disallowed Website Domains
  - DNS Request Filtering System Logging Error Messages
play_arrow URL Filtering
- play_arrow URL Filtering
  - URL Filtering Overview
  - Configuring URL Filtering
play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
- play_arrow Integration of Juniper ATP Cloud and Web filtering on MX Routers
  - Integration of Juniper ATP Cloud and Web Filtering on MX Series Routers
play_arrow Aggregated Multiservices Interfaces
- play_arrow Enabling Load Balancing and High Availability Using Multiservices Interfaces
play_arrow Inter-Chassis Services PIC High Availability
- play_arrow Inter-Chassis Services PIC High Availability Overview and Configuration
play_arrow Application Layer Gateways
- play_arrow Enabling Traffic to Pass Securely Using Application Layer Gateways
play_arrow NAT, Stateful Firewall, and IDS Flows
- play_arrow Inline NAT Services Overview and Configuration
play_arrow Configuration Statements

list Table of Contents

English

Inter-Chassis Stateful Synchronization for Long Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services

date_range 06-Dec-23

arrow_backward

arrow_forward

Inter-Chassis Stateful Synchronization Overview

Stateful synchronization replicates the state of long-lived NAT, stateful firewall, and IDS sessions on the primary services PIC and sends it to the backup services PIC, which is on a different MX Series chassis. By default, long lived sessions are defined as having been active on the services PIC for at least 180 seconds, though you can configure this to a higher value.

The following restrictions apply:

NAPT44 is the only translation type supported.

Replicating state information for the port block allocation (PBA), endpoint-independent mapping (EIM), or endpoint-independent filters (EIF) features are supported supported for Next Gen Services.

When configuring a service set for NAT, stateful firewall, or IDS that belongs to a stateful synchronization setup, you must use a next-hop service set, and the NAT, stateful firewall, and IDS configurations for the service set must be identical on both MX Series chassis.

Figure 1 shows the stateful synchronization topology.

Figure 1: Stateful Sync Topology

Benefits

Interchassis stateful synchronization of the services session state allows uninterrupted services when a switchover occurs from a services PIC on one chassis to a services PIC on another chassis.

Configuring Inter-Chassis Stateful Synchronization for Long- Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services

Configuring Inter-Chassis Stateful Synchronization for Next Gen Services with non-AMS Interface
Configuring Inter-Chassis Stateful Synchronization for Next Gen Services with AMS Interface

Configuring Inter-Chassis Stateful Synchronization for Next Gen Services with non-AMS Interface

To configure stateful synchronization inter-chassis high availability for NAT, stateful firewall, and IDS flows for Next Gen Services when the services interfaces are not AMS, perform the following configuration steps on each chassis of the high availability pair.

Specify the IP address of the vms- interface. This address is used by the TCP channel between the HA pairs.
```
[edit interfaces interface-name redundancy-options]
user@host# set redundancy-local data-address address
```
For example:
```
[edit interfaces vms-1/0/0 redundancy-options]
user@host# set redundancy-local data-address 192.0.2.2
```
When you configure the other chassis, this is the address you use for the redundancy-peer ipaddress.
Specify the IP address of the remote services interface. This address is used by the TCP channel between the HA pairs.
```
[edit interfaces interface-name redundancy-options]
user@host# set redundancy-peer ipaddress address
```
For example:
```
[edit interfaces vms-1/0/0 redundancy-options]
user@host# set redundancy-peer ipaddress 192.0.2.1
```
When you configure the other chassis, this is the address you use for the redundancy-local data-address.

Configure the length of time that the flow remains active for replication, in seconds.

content_copy zoom_out_map
[edit interfaces interface-name redundancy-options]
user@host# set replication-threshold seconds

For example:

content_copy zoom_out_map
[edit interfaces vms-1/0/0 redundancy-options]
user@host# set replication-threshold 60

Configure a unit other than 0, and assign it the IP address of the local services interface that you configured with the redundancy-local data-address option.
```
[edit interfaces interface-name]
user@host# set unit logical-unit-number family (inet | inet6) address address
```
For example:
```
[edit interfaces vms-1/0/0]
user@host# set unit 10 family inet address 192.0.2.2/32
```
For ease of management, we recommend you create a special routing instance with instance-type vrf to host the HA synchronization traffic between the MX Series high availability pair. Then specify the name of the special routing instance to apply to the HA synchronization traffic between the high availability pair.
```
[edit interfaces interface-name redundancy-options]
user@host# set routing-instance instance-name
```

Configure the inside and outside interface units, which are used by the next-hop service set. Use different unit numbers for the inside and outside units, and do not use 0 or the unit number used in Step 4.

content_copy zoom_out_map
[edit]
user@host# set interfaces interface-name unit logical-unit-number family (inet | inet6)
user@host# set interfaces interface-name unit logical-unit-number service-domain inside
user@host# set interfaces interface-name unit logical-unit-number family (inet | inet6)
user@host# set interfaces interface-name unit logical-unit-number service-domain outside

For example:

content_copy zoom_out_map
[edit]
user@host# set interfaces vms-1/0/0 unit 100 family inet
user@host# set interfaces vms-1/0/0 unit 100 family inet6
user@host# set interfaces vms-1/0/0 unit 100 service-domain inside
user@host# set interfaces vms-1/0/0 unit 1000 family inet
user@host# set interfaces vms-1/0/0 unit 1000 family inet6
user@host# set interfaces vms-1/0/0 unit 1000 service-domain outside

Configure the next-hop service set that contains the NAT rules, stateful firewall rules, or IDS screens. The service set must be configured identically on each chassis of the high availability pair. The NAT rules, stateful firewall rules, and IDS screens must also be configured identically on each chassis.
For example:
```
user@host#set service-set internal-nat next-hop-service inside-service-interface vms-1/0/0.100
user@host#set service-set internal-nat next-hop-service outside-service-interface vms-1/0/0.1000
user@host#set service-set internal-nat next-hop-service nat-rules internal-nat1
```
Repeat these steps for the other chassis of the high availability pair.

Configuring Inter-Chassis Stateful Synchronization for Next Gen Services with AMS Interface

To configure stateful synchronization inter-chassis high availability for NAT, stateful firewall, and IDS flows for Next Gen Services for an AMS services interface, perform the following configuration steps on each chassis of the high availability pair.

Configure a services vms- interface for every member of the AMS interface:
1. Specify the IP address of the vms- interface. This address is used by the TCP channel between the HA pairs.
  [edit interfaces interface-name redundancy-options] user@host# set redundancy-local data-address address
  For example:
  [edit interfaces vms-1/0/0 redundancy-options] user@host# set redundancy-local data-address 192.0.2.2
  When you configure the other chassis, this is the address you use for the redundancy-peer ipaddress.
2. Specify the IP address of the remote services interface. This address is used by the TCP channel between the HA pairs.
  [edit interfaces interface-name redundancy-options] user@host# set redundancy-peer ipaddress address
  For example:
  [edit interfaces vms-1/0/0 redundancy-options] user@host# set redundancy-peer ipaddress 192.0.2.1
  When you configure the other chassis, this is the address you use for the redundancy-local data-address.
3. Configure the length of time that the flow remains active for replication, in seconds.
  [edit interfaces interface-name redundancy-options] user@host# set replication-threshold seconds
  For example:
  [edit interfaces vms-1/0/0 redundancy-options] user@host# set replication-threshold 60
4. Configure a unit other than 0, and assign it the IP address of the local services interface that you configured with the redundancy-local data-address option.
  [edit interfaces interface-name] user@host# set unit logical-unit-number family inet address address
  For example:
  [edit interfaces vms-1/0/0] user@host# set unit 10 family inet address 192.0.2.2/32
5. For ease of management, we recommend you create a special routing instance with instance-type vrf to host the HA synchronization traffic between the MX Series high availability pair. Then specify the name of the special routing instance to apply to the HA synchronization traffic between the high availability pair.
  [edit interfaces interface-name redundancy-options] user@host# set routing-instance instance-name
Create the AMS interface and add the member interfaces you configured in Step 1.
```
[edit interfaces]
user@host# set interface-name load-balancing-options [member-interface mams-a/b/0]
```
where the interface-name is amsN, and a is the FPC slot number and b is the PIC slot number for each member interface.

For example:
```
[edit interfaces]
user@host# set ams0 load-balancing-options member-interface mams-1/0/0
user@host# set ams0 load-balancing-options member-interface mams-1/1/0
```

Configure the inside interface for the AMS interface, which is used by the next-hop service set:

Configure the family for the inside interface. Do not use 0 for the unit number.

content_copy zoom_out_map
[edit]
user@host# set interfaces interface-name unit logical-unit-number service-domain inside 
user@host# set interfaces interface-name unit logical-unit-number family (inet | inet6)

For example:

content_copy zoom_out_map
[edit]
user@host# set interfaces ams0 unit 100 service-domain inside 
user@host# set interfaces ams0 unit 100 family inet
user@host# set interfaces ams0 unit 100 family inet6

Configure the hash key to regulate distribution for the inside interface.

content_copy zoom_out_map
[edit set interfaces interface-name unit logical-unit-number]
user@host# load-balancing-options hash-keys ingress-key [source-ip destination-ip]

Configure the outside interface for the AMS interface, which is used by the next-hop service set. Do not use 0 or the same unit number that you used for the inside interface.

Configure the family for the outside interface.

content_copy zoom_out_map
[edit]
user@host# set interfaces interface-name unit logical-unit-number service-domain outside 
user@host# set interfaces interface-name unit logical-unit-number family (inet | inet6)

For example:

content_copy zoom_out_map
[edit]
user@host# set interfaces ams0 unit 1000 service-domain outside 
user@host# set interfaces ams0 unit 1000 family inet
user@host# set interfaces ams0 unit 1000 family inet6

Configure the hash key to regulate distribution for the outside interface.

content_copy zoom_out_map
[edit set interfaces interface-name unit logical-unit-number]
user@host# load-balancing-options hash-keys ingress-key [source-ip destination-ip]

Configure the next-hop service set that contains the NAT rules, stateful firewall rules, or IDS screens. The service set must be configured identically on each chassis of the high availability pair. The NAT rules, stateful firewall rule, and IDS screens must also be configured identically on each chassis.
For example:
```
user@host#set service-set internal-nat next-hop-service inside-service-interface ams0.100
user@host#set service-set internal-nat next-hop-service outside-service-interface ams0.1000
user@host#set service-set internal-nat next-hop-service nat-rules internal-nat1
```
Repeat these steps for the other chassis of the high availability pair.

arrow_backward PREVIOUS Next Gen Services Inter-chassis High Availability Overview for NAT, Stateful Firewall, and IDS Flows

NEXT arrow_forward Inter-Chassis Services Redundancy Overview for Next Gen Services

Next Gen Services Interfaces User Guide for Routing Devices

ON THIS PAGE

Inter-Chassis Stateful Synchronization for Long Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services

Inter-Chassis Stateful Synchronization Overview

Benefits

Configuring Inter-Chassis Stateful Synchronization for Long- Lived NAT, Stateful Firewall, and IDS Flows for Next Gen Services

Configuring Inter-Chassis Stateful Synchronization for Next Gen Services with non-AMS Interface

Configuring Inter-Chassis Stateful Synchronization for Next Gen Services with AMS Interface

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry