Configuring Multinode High Availability Link Encryption
Read this topic to understand how to configure the Multinode High Availability solution on SRX Series Firewalls. This covers configuration in active/backup mode when SRX Series Firewalls are connected to routers on both sides. For more information about Multinode High Availability, see Multinode High Availability.
Note:
Cluster mode with L2HA link-encryption is not supported in fips-mode on SRX1600.
Note:
This feature is supported on the unified iked process using
junos-ike package. You must run the command request
system software add optional://junos-ike.tgz to load the
junos-ike package explicitly on SRX1600.
Overview
In Multi-Node High Availability, participating SRX Series Firewalls operate as independent nodes in a Layer 3 network. The nodes are connected to adjacent infrastructure belonging to different networks. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. Participating nodes backup each other to ensure a fast synchronized failover in case of system or hardware failure.
In Multinode High Availability, activeness is determined at the services redundancy group (SRG) level. The SRX Series Firewall, on which the SRG1 is active, hosts the floating IP address and steers traffic towards it using the floating IP address. During a failover, the floating IP address moves from the old active node to the new active node and continues the communication client devices.
Note:
As of Junos OS Release 23.4R1, we support a two-node configuration in the Multinode High Availability solution.
Requirements
This example uses the following hardware and software components:
-
Two SRX Series Firewalls or vSRX Virtual Firewall instances
-
Two Juniper Networks(R) with Universal Routing Platform
-
Junos OS Release 23.4R1
Topology
In a typical high availability deployment, you have multiple routers and switches on the northbound and southbound sides of the network. For this example, we are using two routers on both sides of SRX Series Firewalls.
In this example, you'll establish high availability between the SRX Series Firewalls and secure the tunnel traffic by enabling HA link encryption.
You'll perform the following tasks to build a Multinode High Availability setup:
- Configure a pair of SRX Series Firewalls as local and peer nodes by assigning IDs.
- Configure services redundancy groups.
- Configure a loopback interface (lo0.0) to host the floating IP address.
- Configure IP probes for the activeness determination and enforcement
- Configure a signal route required for activeness enforcement and use it along with the route exists policy.
- Configure a VPN profile for the high availability (ICL) traffic using IKEv2.
- Configure BFD monitoring options
- Configure a routing policy and routing options
- Configure appropriate security policies to manage traffic in your network
-
Configure stateless firewall filtering and quality of service (QoS) as per your network requirements.
-
Configure interfaces and zones according to your network requirement. You must allow services such as IKE for link encryption and SSH for configuration synchronization as host-inbound system services on the security zone that is associated with the ICL.
In this example, you use static routes on SRX-1 and SRX-2 and advertise these routes into BGP to add the metric to determine which SRX Series Firewall is in the preferred path. Alternatively you can use route reflectors on the SRX Series Firewalls to advertise the routes learned via BGP and accordingly configure the routing policy to match on BGP.
You can configure the following options on SRG0 and SRG1:
-
SRG1: Active/backup signal route, deployment type, activeness priority, preemption, virtual IP address (for default gateway deployments), activeness probing and process packet on backup.
-
SRG1: BFD monitoring, IP monitoring, and interface monitoring options on SRG1.
-
SRG0: shutdown on failure and install on failure route options.
When you configure monitoring (BFD or IP or Interface) options under SRG1, we recommend not to configure the shutdown-on-failure option under SRG0.
For interchassis link (ICL), we recommend the following configuration settings:
- Use a loopback (lo0) interface using an aggregated Ethernet interface (ae0), or any revenue Ethernet interface to establish the ICL. Do not to use the dedicated HA ports (control and fabric ports) if available on your SRX Series Firewall).
- Set MTU of 1514
- Allow the following services on the security zone associated with interfaces
used for ICL
-
IKE, high-availability, SSH
-
Protocols depending on the routing protocol you need.
-
BFD to monitor the neighboring routes.
-
A secure tunnel interface (st0) from st0.16000 to st0.16385 is reserved for Multinode High Availability. These interfaces are not user configurable interfaces. You can only use interfaces from st0.0 to st0.15999.
Configuration
CLI Quick Configuration
To quickly
configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the
[edit] hierarchy level, and then enter
commit from configuration mode.
On SRX-1 Device
set system commit peers-synchronize set system commit peers srx1600b user fips-user set system commit peers srx1600b authentication "$9$nz95/CpleWXxdp08X7V4oTz3nCu1RSrKM" set system services netconf ssh set system ports console log-out-on-disconnect set system static-host-mapping srx1600b inet 22.0.0.2 set system syslog file vpn_syslog any info set system syslog file vpn_syslog match "iked|pkid|kmd|ikemd|authd|jsrpd|chassisd|bfd" set chassis high-availability local-id 1 set chassis high-availability local-id local-ip 22.0.0.1 set chassis high-availability no-hardware-monitoring set chassis high-availability peer-id 2 peer-ip 22.0.0.2 set chassis high-availability peer-id 2 interface ge-0/0/6.0 set chassis high-availability peer-id 2 vpn-profile L3HA_IPSEC_VPN set chassis high-availability peer-id 2 liveness-detection minimum-interval 300 set chassis high-availability peer-id 2 liveness-detection multiplier 3 set chassis high-availability traceoptions file ha.log set chassis high-availability traceoptions file size 10m set chassis high-availability traceoptions flag all set chassis high-availability traceoptions level all set chassis high-availability services-redundancy-group 0 peer-id 2 set chassis high-availability services-redundancy-group 1 mode active-backup set chassis high-availability services-redundancy-group 1 deployment-type routing set chassis high-availability services-redundancy-group 1 peer-id 2 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 111.0.0.1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 11.0.0.1 set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 4.0.0.2 src-ip 4.0.0.1 set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 4.0.0.2 session-type singlehop set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 4.0.0.2 interface ge-0/0/1.0 set chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/0 set chassis high-availability services-redundancy-group 1 active-signal-route 39.1.1.1 set chassis high-availability services-redundancy-group 1 backup-signal-route 39.1.1.2 set chassis high-availability services-redundancy-group 1 prefix-list SRG1_PFX set chassis high-availability services-redundancy-group 1 prefix-list SRG1_V6_PFX set chassis high-availability services-redundancy-group 1 managed-services ipsec set chassis high-availability services-redundancy-group 1 preemption set chassis high-availability services-redundancy-group 1 process-packet-on-backup set chassis high-availability services-redundancy-group 1 activeness-priority 200 set chassis high-availability services-redundancy-group 2 peer-id 2 set chassis high-availability services-redundancy-group 2 activeness-probe dest-ip 111.0.0.1 set chassis high-availability services-redundancy-group 2 activeness-probe dest-ip src-ip 11.1.0.1 set chassis high-availability services-redundancy-group 2 monitor bfd-liveliness 4.0.0.2 src-ip 4.0.0.1 set chassis high-availability services-redundancy-group 2 monitor bfd-liveliness 4.0.0.2 session-type singlehop set chassis high-availability services-redundancy-group 2 monitor bfd-liveliness 4.0.0.2 interface ge-0/0/1.0 set chassis high-availability services-redundancy-group 2 monitor interface ge-0/0/0 set chassis high-availability services-redundancy-group 2 active-signal-route 49.1.1.1 set chassis high-availability services-redundancy-group 2 backup-signal-route 49.1.1.2 set chassis high-availability services-redundancy-group 2 prefix-list SRG2_PFX set chassis high-availability services-redundancy-group 2 prefix-list SRG2_V6_PFX set chassis high-availability services-redundancy-group 2 managed-services ipsec set chassis high-availability services-redundancy-group 2 process-packet-on-backup set chassis high-availability services-redundancy-group 2 activeness-priority 100 set security pki traceoptions flag all set security ike traceoptions file iked set security ike traceoptions file size 10m set security ike traceoptions flag all set security ike traceoptions level 15 set security ike traceoptions trace-buffer set security ike respond-bad-spi 5 set security ike proposal L3HA_IKE_PROP description l3ha_link_encr_tunnel set security ike proposal L3HA_IKE_PROP authentication-method pre-shared-keys set security ike proposal L3HA_IKE_PROP dh-group group14 set security ike proposal L3HA_IKE_PROP authentication-algorithm sha-256 set security ike proposal L3HA_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal L3HA_IKE_PROP lifetime-seconds 300 set security ike policy L3HA_IKE_POL description l3ha_link_encr_tunnel set security ike policy L3HA_IKE_POL proposals L3HA_IKE_PROP set security ike policy L3HA_IKE_POL pre-shared-key hexadecimal "$9$w0YaZDikPTzjiuO" set security ike gateway L3HA_IKE_GW ike-policy L3HA_IKE_POL set security ike gateway L3HA_IKE_GW version v2-only set security ipsec traceoptions flag all set security ipsec proposal L3HA_IPSEC_PROP description l3ha_link_encr_tunnel set security ipsec proposal L3HA_IPSEC_PROP protocol esp set security ipsec proposal L3HA_IPSEC_PROP encryption-algorithm aes-256-gcm set security ipsec proposal L3HA_IPSEC_PROP lifetime-seconds 300 set security ipsec policy L3HA_IPSEC_POL description l3ha_link_encr_tunnel set security ipsec policy L3HA_IPSEC_POL proposals L3HA_IPSEC_PROP set security ipsec vpn L3HA_IPSEC_VPN ha-link-encryption set security ipsec vpn L3HA_IPSEC_VPN ike gateway L3HA_IKE_GW set security ipsec vpn L3HA_IPSEC_VPN ike ipsec-policy L3HA_IPSEC_POL set security forwarding-options family inet6 mode flow-based set security flow traceoptions file flow.log set security flow traceoptions file size 100m set security flow traceoptions flag all set security policies default-policy permit-all set security traceoptions file security.log set security traceoptions file size 100m set security traceoptions flag all set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic protocols bfd set security zones security-zone untrust host-inbound-traffic protocols bgp set security zones security-zone untrust interfaces ge-0/0/1.0 set security zones security-zone untrust interfaces lo0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.1 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone halink host-inbound-traffic system-services ike set security zones security-zone halink host-inbound-traffic system-services ping set security zones security-zone halink host-inbound-traffic system-services high-availability set security zones security-zone halink host-inbound-traffic system-services ssh set security zones security-zone halink host-inbound-traffic protocols bfd set security zones security-zone halink host-inbound-traffic protocols bgp set security zones security-zone halink interfaces ge-0/0/6.0 set interfaces ge-0/0/0 description trust set interfaces ge-0/0/0 unit 0 family inet address 2.0.0.2/16 set interfaces ge-0/0/0 unit 0 family inet6 address 2000::2/64 set interfaces ge-0/0/1 description untrust set interfaces ge-0/0/1 unit 0 family inet address 4.0.0.1/16 set interfaces ge-0/0/1 unit 0 family inet6 address 4000::1/64 set interfaces ge-0/0/6 description ha_link set interfaces ge-0/0/6 unit 0 family inet address 22.0.0.1/24 set interfaces ge-0/0/6 unit 0 family inet6 address 2200::1/112 set interfaces lo0 description untrust set interfaces lo0 unit 0 family inet address 11.0.0.1/32 set interfaces lo0 unit 0 family inet address 11.0.0.11/32 set interfaces lo0 unit 0 family inet address 11.0.0.21/32 set interfaces lo0 unit 0 family inet address 11.0.0.31/32 set interfaces lo0 unit 0 family inet address 11.1.0.1/32 set interfaces lo0 unit 0 family inet address 11.1.0.11/32 set interfaces lo0 unit 0 family inet address 11.1.0.21/32 set interfaces lo0 unit 0 family inet address 11.1.0.31/32 set interfaces lo0 unit 0 family inet6 address 1100::1/128 set interfaces lo0 unit 0 family inet6 address 1100::11/128 set interfaces lo0 unit 0 family inet6 address 1100::21/128 set interfaces lo0 unit 0 family inet6 address 1100::31/128 set interfaces lo0 unit 0 family inet6 address 1101::1/128 set interfaces lo0 unit 0 family inet6 address 1101::11/128 set interfaces lo0 unit 0 family inet6 address 1101::21/128 set interfaces lo0 unit 0 family inet6 address 1101::31/128 set interfaces st0 unit 1 family inet set interfaces st0 unit 1 family inet6 set policy-options prefix-list SRG1_PFX 11.0.0.0/24 set policy-options prefix-list SRG1_V6_PFX 1100::/112 set policy-options prefix-list SRG2_PFX 11.1.0.0/24 set policy-options prefix-list SRG2_V6_PFX 1101::/112 set policy-options route-filter-list srg1_rf_ip6_list 1100::/112 orlonger set policy-options route-filter-list srg1_rf_ip6_list 7000::/64 orlonger set policy-options route-filter-list srg1_rf_list 11.0.0.0/24 orlonger set policy-options route-filter-list srg1_rf_list 7.0.0.0/16 orlonger set policy-options route-filter-list srg2_rf_ip6_list 1101::/112 orlonger set policy-options route-filter-list srg2_rf_ip6_list 9000::/64 orlonger set policy-options route-filter-list srg2_rf_list 11.1.0.0/24 orlonger set policy-options route-filter-list srg2_rf_list 9.0.0.0/16 orlonger set policy-options policy-statement ipsec_pol term 1 from route-filter-list srg1_rf_list set policy-options policy-statement ipsec_pol term 1 from condition active_route_exists_srg1 set policy-options policy-statement ipsec_pol term 1 then metric 10 set policy-options policy-statement ipsec_pol term 1 then accept set policy-options policy-statement ipsec_pol term 2 from route-filter-list srg1_rf_list set policy-options policy-statement ipsec_pol term 2 from condition backup_route_exists_srg1 set policy-options policy-statement ipsec_pol term 2 then metric 20 set policy-options policy-statement ipsec_pol term 2 then accept set policy-options policy-statement ipsec_pol term 3 from route-filter-list srg2_rf_list set policy-options policy-statement ipsec_pol term 3 from condition active_route_exists_srg2 set policy-options policy-statement ipsec_pol term 3 then metric 10 set policy-options policy-statement ipsec_pol term 3 then accept set policy-options policy-statement ipsec_pol term 4 from route-filter-list srg2_rf_list set policy-options policy-statement ipsec_pol term 4 from condition backup_route_exists_srg2 set policy-options policy-statement ipsec_pol term 4 then metric 20 set policy-options policy-statement ipsec_pol term 4 then accept set policy-options policy-statement ipsec_pol term 5 from route-filter-list srg1_rf_ip6_list set policy-options policy-statement ipsec_pol term 5 from condition active_route_exists_srg1 set policy-options policy-statement ipsec_pol term 5 then metric 10 set policy-options policy-statement ipsec_pol term 5 then accept set policy-options policy-statement ipsec_pol term 6 from route-filter-list srg1_rf_ip6_list set policy-options policy-statement ipsec_pol term 6 from condition backup_route_exists_srg1 set policy-options policy-statement ipsec_pol term 6 then metric 20 set policy-options policy-statement ipsec_pol term 6 then accept set policy-options policy-statement ipsec_pol term 7 from route-filter-list srg2_rf_ip6_list set policy-options policy-statement ipsec_pol term 7 from condition active_route_exists_srg2 set policy-options policy-statement ipsec_pol term 7 then metric 10 set policy-options policy-statement ipsec_pol term 7 then accept set policy-options policy-statement ipsec_pol term 8 from route-filter-list srg2_rf_ip6_list set policy-options policy-statement ipsec_pol term 8 from condition backup_route_exists_srg2 set policy-options policy-statement ipsec_pol term 8 then metric 20 set policy-options policy-statement ipsec_pol term 8 then accept set policy-options policy-statement ipsec_pol term 9 from protocol ari-ts set policy-options policy-statement ipsec_pol term 9 from protocol static set policy-options policy-statement ipsec_pol term 9 from protocol direct set policy-options policy-statement ipsec_pol term 9 then metric 30 set policy-options policy-statement ipsec_pol term 9 then accept set policy-options policy-statement ipsec_pol term default then reject set policy-options condition active_route_exists_srg1 if-route-exists address-family inet 39.1.1.1/32 set policy-options condition active_route_exists_srg1 if-route-exists address-family inet table inet.0 set policy-options condition active_route_exists_srg2 if-route-exists address-family inet 49.1.1.1/32 set policy-options condition active_route_exists_srg2 if-route-exists address-family inet table inet.0 set policy-options condition backup_route_exists_srg1 if-route-exists address-family inet 39.1.1.2/32 set policy-options condition backup_route_exists_srg1 if-route-exists address-family inet table inet.0 set policy-options condition backup_route_exists_srg2 if-route-exists address-family inet 49.1.1.2/32 set policy-options condition backup_route_exists_srg2 if-route-exists address-family inet table inet.0 set protocols bfd traceoptions flag all set protocols bgp group trust type internal set protocols bgp group trust local-address 2.0.0.2 set protocols bgp group trust export ipsec_pol set protocols bgp group trust local-as 100 set protocols bgp group trust bfd-liveness-detection minimum-interval 500 set protocols bgp group trust bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group trust bfd-liveness-detection multiplier 3 set protocols bgp group trust neighbor 2.0.0.1 set protocols bgp group untrust type internal set protocols bgp group untrust local-address 4.0.0.1 set protocols bgp group untrust export ipsec_pol set protocols bgp group untrust local-as 100 set protocols bgp group untrust bfd-liveness-detection minimum-interval 500 set protocols bgp group untrust bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group untrust bfd-liveness-detection multiplier 3 set protocols bgp group untrust neighbor 4.0.0.2 set protocols bgp group trust_ip6 type internal set protocols bgp group trust_ip6 local-address 2000::2 set protocols bgp group trust_ip6 export ipsec_pol set protocols bgp group trust_ip6 local-as 100 set protocols bgp group trust_ip6 bfd-liveness-detection minimum-interval 500 set protocols bgp group trust_ip6 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group trust_ip6 bfd-liveness-detection multiplier 3 set protocols bgp group trust_ip6 neighbor 2000::1 set protocols bgp group untrust_ip6 type internal set protocols bgp group untrust_ip6 local-address 4000::1 set protocols bgp group untrust_ip6 export ipsec_pol set protocols bgp group untrust_ip6 local-as 100 set protocols bgp group untrust_ip6 bfd-liveness-detection minimum-interval 500 set protocols bgp group untrust_ip6 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group untrust_ip6 bfd-liveness-detection multiplier 3 set protocols bgp group untrust_ip6 neighbor 4000::2 set routing-options rib inet6.0 static route 1000::/64 next-hop 2000::1 set routing-options rib inet6.0 static route 1110::1/128 next-hop 2000::1 set routing-options rib inet6.0 static route 1110::2/128 next-hop 4000::2 set routing-options rib inet6.0 static route 1200::/96 next-hop 4000::2 set routing-options rib inet6.0 static route 6000::/64 next-hop 4000::2 set routing-options rib inet6.0 static route 8000::/64 next-hop 2000::1 set routing-options autonomous-system 100 set routing-options static route 1.0.0.0/16 next-hop 2.0.0.1 set routing-options static route 8.0.0.0/16 next-hop 2.0.0.1 set routing-options static route 12.0.0.0/8 next-hop 4.0.0.2 set routing-options static route 111.0.0.1/32 next-hop 2.0.0.1 set routing-options static route 111.0.0.2/32 next-hop 4.0.0.2
On SRX-2 Device
set system services netconf ssh set system ports console log-out-on-disconnect set system syslog file vpn_syslog any info set system syslog file vpn_syslog match "iked|pkid|kmd|ikemd|authd|jsrpd|chassisd|bfd" set chassis high-availability local-id 2 set chassis high-availability local-id local-ip 22.0.0.2 set chassis high-availability no-hardware-monitoring set chassis high-availability peer-id 1 peer-ip 22.0.0.1 set chassis high-availability peer-id 1 interface ge-0/0/6.0 set chassis high-availability peer-id 1 vpn-profile L3HA_IPSEC_VPN set chassis high-availability peer-id 1 liveness-detection minimum-interval 300 set chassis high-availability peer-id 1 liveness-detection multiplier 3 set chassis high-availability traceoptions file ha.log set chassis high-availability traceoptions file size 10m set chassis high-availability traceoptions flag all set chassis high-availability traceoptions level all set chassis high-availability services-redundancy-group 0 peer-id 1 set chassis high-availability services-redundancy-group 1 mode active-backup set chassis high-availability services-redundancy-group 1 deployment-type routing set chassis high-availability services-redundancy-group 1 peer-id 1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 111.0.0.1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 11.0.0.1 set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 5.0.0.2 src-ip 5.0.0.1 set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 5.0.0.2 session-type singlehop set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 5.0.0.2 interface ge-0/0/1.0 set chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/0 set chassis high-availability services-redundancy-group 1 active-signal-route 39.1.1.1 set chassis high-availability services-redundancy-group 1 backup-signal-route 39.1.1.2 set chassis high-availability services-redundancy-group 1 prefix-list SRG1_PFX set chassis high-availability services-redundancy-group 1 prefix-list SRG1_V6_PFX set chassis high-availability services-redundancy-group 1 managed-services ipsec set chassis high-availability services-redundancy-group 1 process-packet-on-backup set chassis high-availability services-redundancy-group 1 activeness-priority 100 set chassis high-availability services-redundancy-group 2 peer-id 1 set chassis high-availability services-redundancy-group 2 activeness-probe dest-ip 111.0.0.1 set chassis high-availability services-redundancy-group 2 activeness-probe dest-ip src-ip 11.1.0.1 set chassis high-availability services-redundancy-group 2 monitor bfd-liveliness 5.0.0.2 src-ip 5.0.0.1 set chassis high-availability services-redundancy-group 2 monitor bfd-liveliness 5.0.0.2 session-type singlehop set chassis high-availability services-redundancy-group 2 monitor bfd-liveliness 5.0.0.2 interface ge-0/0/1.0 set chassis high-availability services-redundancy-group 2 monitor interface ge-0/0/0 set chassis high-availability services-redundancy-group 2 active-signal-route 49.1.1.1 set chassis high-availability services-redundancy-group 2 backup-signal-route 49.1.1.2 set chassis high-availability services-redundancy-group 2 prefix-list SRG2_PFX set chassis high-availability services-redundancy-group 2 prefix-list SRG2_V6_PFX set chassis high-availability services-redundancy-group 2 managed-services ipsec set chassis high-availability services-redundancy-group 2 preemption set chassis high-availability services-redundancy-group 2 process-packet-on-backup set chassis high-availability services-redundancy-group 2 activeness-priority 200 set security ike traceoptions file iked set security ike traceoptions file size 10m set security ike traceoptions flag all set security ike traceoptions level 15 set security ike respond-bad-spi 5 set security ike proposal L3HA_IKE_PROP description l3ha_link_encr_tunnel set security ike proposal L3HA_IKE_PROP authentication-method pre-shared-keys set security ike proposal L3HA_IKE_PROP dh-group group14 set security ike proposal L3HA_IKE_PROP authentication-algorithm sha-256 set security ike proposal L3HA_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal L3HA_IKE_PROP lifetime-seconds 300 set security ike policy L3HA_IKE_POL description l3ha_link_encr_tunnel set security ike policy L3HA_IKE_POL proposals L3HA_IKE_PROP set security ike policy L3HA_IKE_POL pre-shared-key hexadecimal "$9$w0YaZDikPTzjiuO" set security ike gateway L3HA_IKE_GW ike-policy L3HA_IKE_POL set security ike gateway L3HA_IKE_GW version v2-only set security ipsec traceoptions flag all set security ipsec proposal L3HA_IPSEC_PROP description l3ha_link_encr_tunnel set security ipsec proposal L3HA_IPSEC_PROP protocol esp set security ipsec proposal L3HA_IPSEC_PROP encryption-algorithm aes-256-gcm set security ipsec proposal L3HA_IPSEC_PROP lifetime-seconds 300 set security ipsec policy L3HA_IPSEC_POL description l3ha_link_encr_tunnel set security ipsec policy L3HA_IPSEC_POL proposals L3HA_IPSEC_PROP set security ipsec vpn L3HA_IPSEC_VPN ha-link-encryption set security ipsec vpn L3HA_IPSEC_VPN ike gateway L3HA_IKE_GW set security ipsec vpn L3HA_IPSEC_VPN ike ipsec-policy L3HA_IPSEC_POL set security forwarding-options family inet6 mode flow-based set security flow traceoptions file flow.log set security flow traceoptions file size 100m set security flow traceoptions flag all set security policies default-policy permit-all set security traceoptions file security.log set security traceoptions file size 100m set security traceoptions flag all set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic protocols bfd set security zones security-zone untrust host-inbound-traffic protocols bgp set security zones security-zone untrust interfaces ge-0/0/1.0 set security zones security-zone untrust interfaces lo0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.1 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone halink host-inbound-traffic system-services ike set security zones security-zone halink host-inbound-traffic system-services ping set security zones security-zone halink host-inbound-traffic system-services high-availability set security zones security-zone halink host-inbound-traffic system-services ssh set security zones security-zone halink host-inbound-traffic protocols bfd set security zones security-zone halink host-inbound-traffic protocols bgp set security zones security-zone halink interfaces ge-0/0/6.0 set interfaces ge-0/0/0 description trust set interfaces ge-0/0/0 unit 0 family inet address 3.0.0.2/16 set interfaces ge-0/0/0 unit 0 family inet6 address 3000::2/64 set interfaces ge-0/0/1 description untrust set interfaces ge-0/0/1 unit 0 family inet address 5.0.0.1/16 set interfaces ge-0/0/1 unit 0 family inet6 address 5000::1/64 set interfaces ge-0/0/6 description ha_link set interfaces ge-0/0/6 unit 0 family inet address 22.0.0.2/24 set interfaces ge-0/0/6 unit 0 family inet6 address 2200::2/112 set interfaces lo0 description untrust set interfaces lo0 unit 0 family inet address 11.0.0.1/32 set interfaces lo0 unit 0 family inet address 11.0.0.11/32 set interfaces lo0 unit 0 family inet address 11.0.0.21/32 set interfaces lo0 unit 0 family inet address 11.0.0.31/32 set interfaces lo0 unit 0 family inet address 11.1.0.1/32 set interfaces lo0 unit 0 family inet address 11.1.0.11/32 set interfaces lo0 unit 0 family inet address 11.1.0.21/32 set interfaces lo0 unit 0 family inet address 11.1.0.31/32 set interfaces lo0 unit 0 family inet6 address 1100::1/128 set interfaces lo0 unit 0 family inet6 address 1100::11/128 set interfaces lo0 unit 0 family inet6 address 1100::21/128 set interfaces lo0 unit 0 family inet6 address 1100::31/128 set interfaces lo0 unit 0 family inet6 address 1101::1/128 set interfaces lo0 unit 0 family inet6 address 1101::11/128 set interfaces lo0 unit 0 family inet6 address 1101::21/128 set interfaces lo0 unit 0 family inet6 address 1101::31/128 set interfaces st0 unit 1 family inet set interfaces st0 unit 1 family inet6 set policy-options prefix-list SRG1_PFX 11.0.0.0/24 set policy-options prefix-list SRG1_V6_PFX 1100::/112 set policy-options prefix-list SRG2_PFX 11.1.0.0/24 set policy-options prefix-list SRG2_V6_PFX 1101::/112 set policy-options route-filter-list srg1_rf_ip6_list 1100::/112 orlonger set policy-options route-filter-list srg1_rf_ip6_list 7000::/64 orlonger set policy-options route-filter-list srg1_rf_list 11.0.0.0/24 orlonger set policy-options route-filter-list srg1_rf_list 7.0.0.0/16 orlonger set policy-options route-filter-list srg2_rf_ip6_list 1101::/112 orlonger set policy-options route-filter-list srg2_rf_ip6_list 9000::/64 orlonger set policy-options route-filter-list srg2_rf_list 11.1.0.0/24 orlonger set policy-options route-filter-list srg2_rf_list 9.0.0.0/16 orlonger set policy-options policy-statement ipsec_pol term 1 from route-filter-list srg1_rf_list set policy-options policy-statement ipsec_pol term 1 from condition active_route_exists_srg1 set policy-options policy-statement ipsec_pol term 1 then metric 10 set policy-options policy-statement ipsec_pol term 1 then accept set policy-options policy-statement ipsec_pol term 2 from route-filter-list srg1_rf_list set policy-options policy-statement ipsec_pol term 2 from condition backup_route_exists_srg1 set policy-options policy-statement ipsec_pol term 2 then metric 20 set policy-options policy-statement ipsec_pol term 2 then accept set policy-options policy-statement ipsec_pol term 3 from route-filter-list srg2_rf_list set policy-options policy-statement ipsec_pol term 3 from condition active_route_exists_srg2 set policy-options policy-statement ipsec_pol term 3 then metric 10 set policy-options policy-statement ipsec_pol term 3 then accept set policy-options policy-statement ipsec_pol term 4 from route-filter-list srg2_rf_list set policy-options policy-statement ipsec_pol term 4 from condition backup_route_exists_srg2 set policy-options policy-statement ipsec_pol term 4 then metric 20 set policy-options policy-statement ipsec_pol term 4 then accept set policy-options policy-statement ipsec_pol term 5 from route-filter-list srg1_rf_ip6_list set policy-options policy-statement ipsec_pol term 5 from condition active_route_exists_srg1 set policy-options policy-statement ipsec_pol term 5 then metric 10 set policy-options policy-statement ipsec_pol term 5 then accept set policy-options policy-statement ipsec_pol term 6 from route-filter-list srg1_rf_ip6_list set policy-options policy-statement ipsec_pol term 6 from condition backup_route_exists_srg1 set policy-options policy-statement ipsec_pol term 6 then metric 20 set policy-options policy-statement ipsec_pol term 6 then accept set policy-options policy-statement ipsec_pol term 7 from route-filter-list srg2_rf_ip6_list set policy-options policy-statement ipsec_pol term 7 from condition active_route_exists_srg2 set policy-options policy-statement ipsec_pol term 7 then metric 10 set policy-options policy-statement ipsec_pol term 7 then accept set policy-options policy-statement ipsec_pol term 8 from route-filter-list srg2_rf_ip6_list set policy-options policy-statement ipsec_pol term 8 from condition backup_route_exists_srg2 set policy-options policy-statement ipsec_pol term 8 then metric 20 set policy-options policy-statement ipsec_pol term 8 then accept set policy-options policy-statement ipsec_pol term 9 from protocol ari-ts set policy-options policy-statement ipsec_pol term 9 from protocol static set policy-options policy-statement ipsec_pol term 9 from protocol direct set policy-options policy-statement ipsec_pol term 9 then metric 30 set policy-options policy-statement ipsec_pol term 9 then accept set policy-options policy-statement ipsec_pol term default then reject set policy-options condition active_route_exists_srg1 if-route-exists address-family inet 39.1.1.1/32 set policy-options condition active_route_exists_srg1 if-route-exists address-family inet table inet.0 set policy-options condition active_route_exists_srg2 if-route-exists address-family inet 49.1.1.1/32 set policy-options condition active_route_exists_srg2 if-route-exists address-family inet table inet.0 set policy-options condition backup_route_exists_srg1 if-route-exists address-family inet 39.1.1.2/32 set policy-options condition backup_route_exists_srg1 if-route-exists address-family inet table inet.0 set policy-options condition backup_route_exists_srg2 if-route-exists address-family inet 49.1.1.2/32 set policy-options condition backup_route_exists_srg2 if-route-exists address-family inet table inet.0 set protocols bfd traceoptions flag all set protocols bgp group trust type internal set protocols bgp group trust local-address 3.0.0.2 set protocols bgp group trust export ipsec_pol set protocols bgp group trust local-as 100 set protocols bgp group trust bfd-liveness-detection minimum-interval 500 set protocols bgp group trust bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group trust bfd-liveness-detection multiplier 3 set protocols bgp group trust neighbor 3.0.0.1 set protocols bgp group untrust type internal set protocols bgp group untrust local-address 5.0.0.1 set protocols bgp group untrust export ipsec_pol set protocols bgp group untrust local-as 100 set protocols bgp group untrust bfd-liveness-detection minimum-interval 500 set protocols bgp group untrust bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group untrust bfd-liveness-detection multiplier 3 set protocols bgp group untrust neighbor 5.0.0.2 set protocols bgp group trust_ip6 type internal set protocols bgp group trust_ip6 local-address 3000::2 set protocols bgp group trust_ip6 export ipsec_pol set protocols bgp group trust_ip6 local-as 100 set protocols bgp group trust_ip6 bfd-liveness-detection minimum-interval 500 set protocols bgp group trust_ip6 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group trust_ip6 bfd-liveness-detection multiplier 3 set protocols bgp group trust_ip6 neighbor 3000::1 set protocols bgp group untrust_ip6 type internal set protocols bgp group untrust_ip6 local-address 5000::1 set protocols bgp group untrust_ip6 export ipsec_pol set protocols bgp group untrust_ip6 local-as 100 set protocols bgp group untrust_ip6 bfd-liveness-detection minimum-interval 500 set protocols bgp group untrust_ip6 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group untrust_ip6 bfd-liveness-detection multiplier 3 set protocols bgp group untrust_ip6 neighbor 5000::2 set routing-options rib inet6.0 static route 1000::/64 next-hop 3000::1 set routing-options rib inet6.0 static route 1110::1/128 next-hop 3000::1 set routing-options rib inet6.0 static route 1110::2/128 next-hop 5000::2 set routing-options rib inet6.0 static route 1200::/96 next-hop 5000::2 set routing-options rib inet6.0 static route 6000::/64 next-hop 5000::2 set routing-options rib inet6.0 static route 8000::/64 next-hop 3000::1 set routing-options autonomous-system 100 set routing-options static route 1.0.0.0/16 next-hop 3.0.0.1 set routing-options static route 6.0.0.0/16 next-hop 5.0.0.2 set routing-options static route 8.0.0.0/16 next-hop 3.0.0.1 set routing-options static route 12.0.0.0/8 next-hop 5.0.0.2 set routing-options static route 111.0.0.1/32 next-hop 3.0.0.1 set routing-options static route 111.0.0.2/32 next-hop 5.0.0.2
The following sections show configuration snippets on the routers required for setting up Multinode High Availability setup in the network.
Router(vsrx) SRX1_A1
set security forwarding-options family inet6 mode flow-based set security policies default-policy permit-all set security zones security-zone lan host-inbound-traffic system-services all set security zones security-zone lan host-inbound-traffic protocols all set security zones security-zone lan interfaces ge-0/0/2.0 set security zones security-zone lan interfaces ge-0/0/3.0 set security zones security-zone l3ha host-inbound-traffic system-services all set security zones security-zone l3ha host-inbound-traffic protocols all set security zones security-zone l3ha interfaces ge-0/0/0.0 set security zones security-zone l3ha interfaces ge-0/0/1.0 set security zones security-zone loopback host-inbound-traffic system-services all set security zones security-zone loopback host-inbound-traffic protocols all set security zones security-zone loopback interfaces lo0.0 set interfaces ge-0/0/0 description l3ha_1 set interfaces ge-0/0/0 unit 0 family inet address 2.0.0.1/16 set interfaces ge-0/0/0 unit 0 family inet6 address 2000::1/64 set interfaces ge-0/0/1 description l3ha_2 set interfaces ge-0/0/1 unit 0 family inet address 3.0.0.1/16 set interfaces ge-0/0/1 unit 0 family inet6 address 3000::1/64 set interfaces ge-0/0/2 description lan set interfaces ge-0/0/2 unit 0 family inet address 1.0.0.1/16 set interfaces ge-0/0/2 unit 0 family inet6 address 1000::1/64 set interfaces ge-0/0/3 description l3ha_3 set interfaces ge-0/0/3 unit 0 family inet address 8.0.0.1/16 set interfaces ge-0/0/3 unit 0 family inet6 address 8000::1/64 set interfaces lo0 description loopback set interfaces lo0 unit 0 family inet address 111.0.0.1/32 primary set interfaces lo0 unit 0 family inet address 111.0.0.1/32 preferred set interfaces lo0 unit 0 family inet6 address 1110::1/128 primary set interfaces lo0 unit 0 family inet6 address 1110::1/128 preferred set protocols bgp group l3ha_r0 type internal set protocols bgp group l3ha_r0 local-address 2.0.0.1 set protocols bgp group l3ha_r0 local-as 100 set protocols bgp group l3ha_r0 bfd-liveness-detection minimum-interval 500 set protocols bgp group l3ha_r0 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group l3ha_r0 bfd-liveness-detection multiplier 3 set protocols bgp group l3ha_r0 neighbor 2.0.0.2 set protocols bgp group l3ha_r0_b type internal set protocols bgp group l3ha_r0_b local-address 3.0.0.1 set protocols bgp group l3ha_r0_b local-as 100 set protocols bgp group l3ha_r0_b bfd-liveness-detection minimum-interval 500 set protocols bgp group l3ha_r0_b bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group l3ha_r0_b bfd-liveness-detection multiplier 3 set protocols bgp group l3ha_r0_b neighbor 3.0.0.2 set protocols bgp group l3ha_r0_ip6 type internal set protocols bgp group l3ha_r0_ip6 local-address 2000::1 set protocols bgp group l3ha_r0_ip6 local-as 100 set protocols bgp group l3ha_r0_ip6 bfd-liveness-detection minimum-interval 500 set protocols bgp group l3ha_r0_ip6 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group l3ha_r0_ip6 bfd-liveness-detection multiplier 3 set protocols bgp group l3ha_r0_ip6 neighbor 2000::2 set protocols bgp group l3ha_r0_b_ip6 type internal set protocols bgp group l3ha_r0_b_ip6 local-address 3000::1 set protocols bgp group l3ha_r0_b_ip6 local-as 100 set protocols bgp group l3ha_r0_b_ip6 bfd-liveness-detection minimum-interval 500 set protocols bgp group l3ha_r0_b_ip6 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group l3ha_r0_b_ip6 bfd-liveness-detection multiplier 3 set protocols bgp group l3ha_r0_b_ip6 neighbor 3000::2 set routing-options autonomous-system 100
Router(vsrx) SRX1_A2
set security forwarding-options family inet6 mode flow-based set security policies default-policy permit-all set security zones security-zone lan host-inbound-traffic system-services all set security zones security-zone lan host-inbound-traffic protocols all set security zones security-zone lan interfaces ge-0/0/2.0 set security zones security-zone l3ha host-inbound-traffic system-services all set security zones security-zone l3ha host-inbound-traffic protocols all set security zones security-zone l3ha interfaces ge-0/0/0.0 set security zones security-zone l3ha interfaces ge-0/0/1.0 set security zones security-zone loopback host-inbound-traffic system-services all set security zones security-zone loopback host-inbound-traffic protocols all set security zones security-zone loopback interfaces lo0.0 set interfaces ge-0/0/0 description l3ha_1 set interfaces ge-0/0/0 unit 0 family inet address 4.0.0.2/16 set interfaces ge-0/0/0 unit 0 family inet6 address 4000::2/64 set interfaces ge-0/0/1 description l3ha_2 set interfaces ge-0/0/1 unit 0 family inet address 5.0.0.2/16 set interfaces ge-0/0/1 unit 0 family inet6 address 5000::2/64 set interfaces ge-0/0/2 description lan set interfaces ge-0/0/2 unit 0 family inet address 6.0.0.1/16 set interfaces ge-0/0/2 unit 0 family inet6 address 6000::1/64 set interfaces lo0 description loopback set interfaces lo0 unit 0 family inet address 111.0.0.2/32 primary set interfaces lo0 unit 0 family inet address 111.0.0.2/32 preferred set interfaces lo0 unit 0 family inet6 address 1110::2/128 primary set interfaces lo0 unit 0 family inet6 address 1110::2/128 preferred set protocols bgp group l3ha_r0 type internal set protocols bgp group l3ha_r0 local-address 4.0.0.2 set protocols bgp group l3ha_r0 local-as 100 set protocols bgp group l3ha_r0 bfd-liveness-detection minimum-interval 500 set protocols bgp group l3ha_r0 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group l3ha_r0 bfd-liveness-detection multiplier 3 set protocols bgp group l3ha_r0 neighbor 4.0.0.1 set protocols bgp group l3ha_r0_b type internal set protocols bgp group l3ha_r0_b local-address 5.0.0.2 set protocols bgp group l3ha_r0_b local-as 100 set protocols bgp group l3ha_r0_b bfd-liveness-detection minimum-interval 500 set protocols bgp group l3ha_r0_b bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group l3ha_r0_b bfd-liveness-detection multiplier 3 set protocols bgp group l3ha_r0_b neighbor 5.0.0.1 set protocols bgp group l3ha_r0_ip6 type internal set protocols bgp group l3ha_r0_ip6 local-address 4000::2 set protocols bgp group l3ha_r0_ip6 local-as 100 set protocols bgp group l3ha_r0_ip6 bfd-liveness-detection minimum-interval 500 set protocols bgp group l3ha_r0_ip6 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group l3ha_r0_ip6 bfd-liveness-detection multiplier 3 set protocols bgp group l3ha_r0_ip6 neighbor 4000::1 set protocols bgp group l3ha_r0_b_ip6 type internal set protocols bgp group l3ha_r0_b_ip6 local-address 5000::2 set protocols bgp group l3ha_r0_b_ip6 local-as 100 set protocols bgp group l3ha_r0_b_ip6 bfd-liveness-detection minimum-interval 500 set protocols bgp group l3ha_r0_b_ip6 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group l3ha_r0_b_ip6 bfd-liveness-detection multiplier 3 set protocols bgp group l3ha_r0_b_ip6 neighbor 5000::1 set routing-options rib inet6.0 static route 1200::/96 next-hop 6000::2 set routing-options autonomous-system 100 set routing-options static route 12.0.0.0/8 next-hop 6.0.0.2
Configuration
Step-by-Step Procedure
We're showing the configuration of SRX-1 in the step-by-step procedure.
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
-
Configure Interfaces.
[edit] user@host# set interfaces ge-0/0/0 description trust user@host# set interfaces ge-0/0/1 description untrust user@host# set interfaces ge-0/0/6 description ha_link
We're using ge-0/0/0 and ge-0/0/1 interfaces to connect to the upstream and downstream routers and using ge-0/0/6 interface to setup the ICL.
-
Configure the loopback interfaces.
[edit] user@host# set interfaces lo0 description "untrust" unit 0 family inet address 11.0.0.1/32
The IP address (11.0.0.1) assigned to the loopback interface will be used as the floating IP address.
Using the loopback interface ensures that at any given point, traffic from the adjacent routers will be steered toward the floating IP address (that is, toward the active node).
-
Configure security zones, assign interfaces to the zones, and specify the allowed system services for the security zones.
[edit] user@host# set security zones security-zone untrust host-inbound-traffic system-services ike user@host# set security zones security-zone untrust host-inbound-traffic system-services ping user@host# set security zones security-zone untrust host-inbound-traffic protocols bfd user@host# set security zones security-zone untrust host-inbound-traffic protocols bgp user@host# set security zones security-zone untrust interfaces ge-0/0/1.0 user@host# set security zones security-zone untrust interfaces lo0.0 user@host# set security zones security-zone vpn host-inbound-traffic system-services all user@host# set security zones security-zone vpn host-inbound-traffic protocols all user@host# set security zones security-zone vpn interfaces st0.1 user@host# set security zones security-zone trust host-inbound-traffic system-services all user@host# set security zones security-zone trust host-inbound-traffic protocols all user@host# set security zones security-zone trust interfaces ge-0/0/0.0 user@host# set security zones security-zone halink host-inbound-traffic system-services ike user@host# set security zones security-zone halink host-inbound-traffic system-services ping user@host# set security zones security-zone halink host-inbound-traffic system-services high-availability user@host# set security zones security-zone halink host-inbound-traffic system-services ssh user@host# set security zones security-zone halink host-inbound-traffic protocols bfd user@host# set security zones security-zone halink host-inbound-traffic protocols bgp user@host# set security zones security-zone halink interfaces ge-0/0/6.0
Assign the interfaces ge-0/0/0 and ge-0/0/1 the trust and untrust zones respectively. Assign the lo0.0 interface to the untrust zone to connect over the public IP network. Assign the interface ge-0/0/6 to the halink zone. You use this zone to set up the ICL.
-
Configure routing options.
[edit] user@host# set routing-options autonomous-system 100 user@host# set routing-options static route 1.0.0.0/16 next-hop 2.0.0.1 user@host# set routing-options static route 8.0.0.0/16 next-hop 2.0.0.1 user@host# set routing-options static route 12.0.0.0/8 next-hop 4.0.0.2 user@host# set routing-options static route 111.0.0.1/32 next-hop 2.0.0.1 user@host# set routing-options static route 111.0.0.2/32 next-hop 4.0.0.2
- Configure both local node and peer node details such as node ID, lP
addresses of local node and peer node, and the interface for the peer
node.
[edit] user@host# set chassis high-availability local-id 1 user@host# set chassis high-availability local-id local-ip 22.0.0.1 user@host# set chassis high-availability no-hardware-monitoring user@host# set chassis high-availability peer-id 2 peer-ip 22.0.0.2 user@host# set chassis high-availability peer-id 2 interface ge-0/0/6.0
You'll use the ge-0/0/6 interface for communicating with the peer node using the ICL.
-
Attach the IPsec VPN profile L3HA_IPSEC_VPN to the peer node.
[edit] user@host# set chassis high-availability peer-id 2 vpn-profile L3HA_IPSEC_VPN
You'll need this configuration to establish a secure L3HA link between the nodes.
-
Configure Bidirectional Forwarding Detection (BFD) protocol options for the peer node.
[edit] user@host# set chassis high-availability peer-id 2 liveness-detection minimum-interval 300 user@host# set chassis high-availability peer-id 2 liveness-detection multiplier 3
-
Associate the peer node ID 2 to the services redundancy group 0 (SRG0).
[edit] user@host# set chassis high-availability services-redundancy-group 0 peer-id 2
-
Configure the services redundancy group 1 (SRG1).
[edit] user@host# set chassis high-availability services-redundancy-group 1 mode active-backup user@host# set chassis high-availability services-redundancy-group 1 deployment-type routing user@host# set chassis high-availability services-redundancy-group 1 peer-id 2
-
Setup activeness determination parameters for SRG1.
[edit] user@host# set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 111.0.0.1 user@host# set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 11.0.0.1
Use the floating IP address as source IP address (11.0.0.1) and IP addresses of the upstream routers as the destination IP address (111.0.0.1) for the activeness determination probe.
You can configure up to 64 IP addresses for IP monitoring and activeness probing. The total 64 IP addresses is sum of the number of IPv4 and IPv6 addresses)
-
Configure BFD monitoring parameters for the SRG1 to detect failures in network.
[edit] user@host# set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 4.0.0.2 src-ip 4.0.0.1 user@host# set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 4.0.0.2 session-type singlehop user@host# set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 4.0.0.2 interface ge-0/0/1.0
-
Configure an active signal route required for activeness enforcement.
[edit] user@host# set chassis high-availability services-redundancy-group 1 active-signal-route 39.1.1.1 user@host# set chassis high-availability services-redundancy-group 1 backup-signal-route 39.1.1.2 user@host# set chassis high-availability services-redundancy-group 1 preemption user@host# set chassis high-availability services-redundancy-group 1 activeness-priority 200
The active signal route IP address you assign is used for route preference advertisement. You must specify the active signal route along with the
route-existspolicy in thepolicy-optionsstatement. -
Configure policy options.
[edit] user@host# set policy-options condition active_route_exists_srg1 if-route-exists address-family inet 39.1.1.1/32 user@host# set policy-options condition active_route_exists_srg1 if-route-exists address-family inet table inet.0 user@host# set policy-options policy-statement ipsec_pol term 1 from route-filter-list srg1_rf_list user@host# set policy-options policy-statement ipsec_pol term 1 from condition active_route_exists_srg1 user@host# set policy-options policy-statement ipsec_pol term 1 then metric 10 user@host# set policy-options policy-statement ipsec_pol term 1 then accept user@host# set policy-options policy-statement ipsec_pol term 2 from route-filter-list srg1_rf_list user@host# set policy-options policy-statement ipsec_pol term 2 from condition backup_route_exists_srg1 user@host# set policy-options policy-statement ipsec_pol term 2 then metric 20 user@host# set policy-options policy-statement ipsec_pol term 2 then accept user@host# set policy-options policy-statement ipsec_pol term 3 from route-filter-list srg2_rf_list user@host# set policy-options policy-statement ipsec_pol term 3 from condition active_route_exists_srg2 user@host# set policy-options policy-statement ipsec_pol term 3 then metric 10 user@host# set policy-options policy-statement ipsec_pol term 3 then accept user@host# set policy-options policy-statement ipsec_pol term 4 from route-filter-list srg2_rf_list user@host# set policy-options policy-statement ipsec_pol term 4 from condition backup_route_exists_srg2 user@host# set policy-options policy-statement ipsec_pol term 4 then metric 20 user@host# set policy-options policy-statement ipsec_pol term 4 then accept user@host# set policy-options policy-statement ipsec_pol term 5 from route-filter-list srg1_rf_ip6_list user@host# set policy-options policy-statement ipsec_pol term 5 from condition active_route_exists_srg1 user@host# set policy-options policy-statement ipsec_pol term 5 then metric 10 user@host# set policy-options policy-statement ipsec_pol term 5 then accept user@host# set policy-options policy-statement ipsec_pol term 6 from route-filter-list srg1_rf_ip6_list user@host# set policy-options policy-statement ipsec_pol term 6 from condition backup_route_exists_srg1 user@host# set policy-options policy-statement ipsec_pol term 6 then metric 20 user@host# set policy-options policy-statement ipsec_pol term 6 then accept user@host# set policy-options policy-statement ipsec_pol term 7 from route-filter-list srg2_rf_ip6_list user@host# set policy-options policy-statement ipsec_pol term 7 from condition active_route_exists_srg2 user@host# set policy-options policy-statement ipsec_pol term 7 then metric 10 user@host# set policy-options policy-statement ipsec_pol term 7 then accept user@host# set policy-options policy-statement ipsec_pol term 8 from route-filter-list srg2_rf_ip6_list user@host# set policy-options policy-statement ipsec_pol term 8 from condition backup_route_exists_srg2 user@host# set policy-options policy-statement ipsec_pol term 8 then metric 20 user@host# set policy-options policy-statement ipsec_pol term 8 then accept user@host# set policy-options policy-statement ipsec_pol term 9 from protocol ari-ts user@host# set policy-options policy-statement ipsec_pol term 9 from protocol static user@host# set policy-options policy-statement ipsec_pol term 9 from protocol direct user@host# set policy-options policy-statement ipsec_pol term 9 then metric 30 user@host# set policy-options policy-statement ipsec_pol term 9 then accept user@host# set policy-options policy-statement ipsec_pol term default then reject
Configure the active signal route 39.1.1.1 with the route match condition (
if-route-exists). -
Configure the security policy.
[edit] user@host# set security policies default-policy permit-all
Ensure you have configured security policies as per your network requirements.
-
Configure CA certificates as per your requirements.
[edit] user@host# set security pki ca-profile Root-CA ca-identity Root-CA user@host# set security pki ca-profile Root-CA enrollment url http://10.204.141.168/certsrv/mscep/mscep.dll user@host# set security pki ca-profile Root-CA enrollment retry 5 user@host# set security pki ca-profile Root-CA enrollment retry-interval 0 user@host# set security pki ca-profile Root-CA revocation-check disable
-
Define Internet Key Exchange (IKE) configuration for Multinode High Availability. An IKE configuration defines the algorithms and keys used to establish a secure connection.
[edit] user@host# set security ike proposal L3HA_IKE_PROP description l3ha_link_encr_tunnel user@host# set security ike proposal L3HA_IKE_PROP authentication-method pre-shared-keys user@host# set security ike proposal L3HA_IKE_PROP dh-group group14 user@host# set security ike proposal L3HA_IKE_PROP authentication-algorithm sha-256 user@host# set security ike proposal L3HA_IKE_PROP encryption-algorithm aes-256-cbc user@host# set security ike proposal L3HA_IKE_PROP lifetime-seconds 300 user@host# set security ike policy L3HA_IKE_POL description l3ha_link_encr_tunnel user@host# set security ike policy L3HA_IKE_POL proposals L3HA_IKE_PROP user@host# set security ike policy L3HA_IKE_POL pre-shared-key hexadecimal "$9$w0YaZDikPTzjiuO"user@host# set security ike gateway L3HA_IKE_GW ike-policy L3HA_IKE_POL user@host# set security ike gateway L3HA_IKE_GW version v2-only
For the Multinode High availability feature, you must configure the IKE version as
v2-only -
Specify the IPsec proposal protocol and encryption algorithm. Specify IPsec options to create a IPsec tunnel between two participant devices to secure VPN communication.
[edit] user@host# set security ipsec proposal L3HA_IPSEC_PROP description l3ha_link_encr_tunnel user@host# set security ipsec proposal L3HA_IPSEC_PROP protocol esp user@host# set security ipsec proposal L3HA_IPSEC_PROP encryption-algorithm aes-256-gcm user@host#set security ipsec proposal L3HA_IPSEC_PROP lifetime-seconds 300 user@host# set security ipsec policy L3HA_IPSEC_POL description l3ha_link_encr_tunnel user@host# set security ipsec policy L3HA_IPSEC_POL proposals L3HA_IPSEC_PROP user@host# set security ipsec vpn L3HA_IPSEC_VPN ha-link-encryption user@host# set security ipsec vpn L3HA_IPSEC_VPN ike gateway L3HA_IKE_GW user@host# set security ipsec vpn L3HA_IPSEC_VPN ike ipsec-policy L3HA_IPSEC_POL
ha-link-encryptionoption encrypts the L3HA to secure high availability traffic flow between the nodes.The same VPN name L3HA_IPSEC_VPN must be mentioned for vpn_profile in chassis high availability configuration.
-
Configure BFD peering sessions options and specify liveness detection timers.
[edit] user@host# set protocols bgp group trust type internal user@host# set protocols bgp group trust local-address 2.0.0.2 user@host# set protocols bgp group trust export ipsec_pol user@host# set protocols bgp group trust local-as 100 user@host# set protocols bgp group trust bfd-liveness-detection minimum-interval 500 user@host# set protocols bgp group trust bfd-liveness-detection minimum-receive-interval 500 user@host# set protocols bgp group trust bfd-liveness-detection multiplier 3 user@host# set protocols bgp group trust neighbor 2.0.0.1 user@host# set protocols bgp group untrust type internal user@host# set protocols bgp group untrust local-address 4.0.0.1 user@host# set protocols bgp group untrust export ipsec_pol user@host# set protocols bgp group untrust local-as 100 user@host# set protocols bgp group untrust bfd-liveness-detection minimum-interval 500 user@host# set protocols bgp group untrust bfd-liveness-detection minimum-receive-interval 500 user@host# set protocols bgp group untrust bfd-liveness-detection multiplier 3 user@host# set protocols bgp group untrust neighbor 4.0.0.2
Results (SRX-1)
From configuration mode, confirm your configuration by entering the following commands.
If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
user@host#show chassis high-availability
local-id {
1;
local-ip 22.0.0.1;
}
peer-id 2 {
peer-ip 22.0.0.2;
interface ge-0/0/5.0;
vpn-profile L3HA_IPSEC_VPN;
liveness-detection {
minimum-interval 300;
multiplier 3;
}
}
traceoptions {
file ha.log size 10m;
flag all;
level all;
}
services-redundancy-group 0 {
peer-id {
2;
}
}
services-redundancy-group 1 {
mode active-backup;
deployment-type routing;
peer-id {
2;
}
activeness-probe {
dest-ip {
111.0.0.1;
src-ip 11.0.0.1;
}
}
monitor {
bfd-liveliness 4.0.0.2 {
src-ip 4.0.0.1;
session-type singlehop;
interface ge-0/0/1.0;
}
interface {
ge-0/0/0;
}
}
active-signal-route {
39.1.1.1;
}
backup-signal-route {
39.1.1.2;
}
prefix-list SRG1_PFX;
prefix-list SRG1_V6_PFX;
managed-services ipsec;
preemption;
process-packet-on-backup;
activeness-priority 200;
}
services-redundancy-group 2 {
peer-id {
2;
}
activeness-probe {
dest-ip {
111.0.0.1;
src-ip 11.1.0.1;
}
}
monitor {
bfd-liveliness 4.0.0.2 {
src-ip 4.0.0.1;
session-type singlehop;
interface ge-0/0/1.0;
}
interface {
ge-0/0/0;
}
}
active-signal-route {
49.1.1.1;
}
backup-signal-route {
49.1.1.2;
}
prefix-list SRG2_PFX;
prefix-list SRG2_V6_PFX;
managed-services ipsec;
process-packet-on-backup;
activeness-priority 100;
}
[edit]
user@host#
user@host#show security ike
traceoptions {
file iked size 10m;
flag all;
level 15;
trace-buffer;
}
respond-bad-spi 5;
proposal L3HA_IKE_PROP {
description l3ha_link_encr_tunnel;
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 300;
}
policy L3HA_IKE_POL {
description l3ha_link_encr_tunnel;
proposals L3HA_IKE_PROP;
pre-shared-key hexadecimal "$9$w0YaZDikPTzjiuO"; ## SECRET-DATA
}
gateway L3HA_IKE_GW {
ike-policy L3HA_IKE_POL;
version v2-only;
}
[edit]
user@host#show security ipsec
traceoptions {
flag all;
}
proposal L3HA_IPSEC_PROP {
description l3ha_link_encr_tunnel;
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 300;
}
policy L3HA_IPSEC_POL {
description l3ha_link_encr_tunnel;
proposals L3HA_IPSEC_PROP;
}
vpn L3HA_IPSEC_VPN {
ha-link-encryption;
ike {
gateway L3HA_IKE_GW;
ipsec-policy L3HA_IPSEC_POL;
}
}
[edit]
user@host#
user@host#show policy-options
prefix-list SRG1_PFX {
11.0.0.0/24;
}
prefix-list SRG1_V6_PFX {
1100::/112;
}
prefix-list SRG2_PFX {
11.1.0.0/24;
}
prefix-list SRG2_V6_PFX {
1101::/112;
}
route-filter-list srg1_rf_ip6_list {
1100::/112 orlonger;
7000::/64 orlonger;
}
route-filter-list srg1_rf_list {
11.0.0.0/24 orlonger;
7.0.0.0/16 orlonger;
}
route-filter-list srg2_rf_ip6_list {
1101::/112 orlonger;
9000::/64 orlonger;
}
route-filter-list srg2_rf_list {
11.1.0.0/24 orlonger;
9.0.0.0/16 orlonger;
}
policy-statement ipsec_pol {
term 1 {
from {
route-filter-list srg1_rf_list;
condition active_route_exists_srg1;
}
then {
metric 10;
accept;
}
}
term 2 {
from {
route-filter-list srg1_rf_list;
condition backup_route_exists_srg1;
}
then {
metric 20;
accept;
}
}
term 3 {
from {
route-filter-list srg2_rf_list;
condition active_route_exists_srg2;
}
then {
metric 10;
accept;
}
}
term 4 {
from {
route-filter-list srg2_rf_list;
condition backup_route_exists_srg2;
}
then {
metric 20;
accept;
}
}
term 5 {
from {
route-filter-list srg1_rf_ip6_list;
condition active_route_exists_srg1;
}
then {
metric 10;
accept;
}
}
term 6 {
from {
route-filter-list srg1_rf_ip6_list;
condition backup_route_exists_srg1;
}
then {
metric 20;
accept;
}
}
term 7 {
from {
route-filter-list srg2_rf_ip6_list;
condition active_route_exists_srg2;
}
then {
metric 10;
accept;
}
}
term 8 {
from {
route-filter-list srg2_rf_ip6_list;
condition backup_route_exists_srg2;
}
then {
metric 20;
accept;
}
}
term 9 {
from protocol [ ari-ts static direct ];
then {
metric 30;
accept;
}
}
term default {
then reject;
}
}
condition active_route_exists_srg1 {
if-route-exists {
address-family {
inet {
39.1.1.1/32;
table inet.0;
}
}
}
}
condition active_route_exists_srg2 {
if-route-exists {
address-family {
inet {
49.1.1.1/32;
table inet.0;
}
}
}
}
condition backup_route_exists_srg1 {
if-route-exists {
address-family {
inet {
39.1.1.2/32;
table inet.0;
}
}
}
}
condition backup_route_exists_srg2 {
if-route-exists {
address-family {
inet {
49.1.1.2/32;
table inet.0;
}
}
}
}
[edit]
user@host#
user@host#show routing-options
rib inet6.0 {
static {
route 1000::/64 next-hop 2000::1;
route 1110::1/128 next-hop 2000::1;
route 1110::2/128 next-hop 4000::2;
route 1200::/96 next-hop 4000::2;
route 6000::/64 next-hop 4000::2;
route 8000::/64 next-hop 2000::1;
}
}
autonomous-system 100;
static {
route 1.0.0.0/16 next-hop 2.0.0.1;
route 8.0.0.0/16 next-hop 2.0.0.1;
route 12.0.0.0/8 next-hop 4.0.0.2;
route 111.0.0.1/32 next-hop 2.0.0.1;
route 111.0.0.2/32 next-hop 4.0.0.2;
}
[edit]
user@host#
user@host#show security zones
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
ping;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/1.0;
lo0.0;
}
}
security-zone vpn {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.1;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone halink {
host-inbound-traffic {
system-services {
ike;
ping;
high-availability;
ssh;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/5.0;
}
}
[edit]
user@host#
user@host#show interfaces
ge-0/0/0 {
description trust;
unit 0 {
family inet {
address 2.0.0.2/16;
}
family inet6 {
address 2000::2/64;
}
}
}
ge-0/0/1 {
description untrust;
unit 0 {
family inet {
address 4.0.0.1/16;
}
family inet6 {
address 4000::1/64;
}
}
}
ge-0/0/5 {
description ha_link;
unit 0 {
family inet {
address 22.0.0.1/24;
}
family inet6 {
address 2200::1/112;
}
}
}
lo0 {
description untrust;
unit 0 {
family inet {
address 11.0.0.1/32;
address 11.0.0.11/32;
address 11.0.0.21/32;
address 11.0.0.31/32;
address 11.1.0.1/32;
address 11.1.0.11/32;
address 11.1.0.21/32;
address 11.1.0.31/32;
}
family inet6 {
address 1100::1/128;
address 1100::11/128;
address 1100::21/128;
address 1100::31/128;
address 1101::1/128;
address 1101::11/128;
address 1101::21/128;
address 1101::31/128;
}
}
}
st0 {
unit 1 {
family inet;
family inet6;
}
}
[edit]
user@host#
If you are done configuring the device, enter commit from
configuration mode.
Results (SRX-2)
From configuration mode, confirm your configuration by entering the following commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
user@host#show chassis high-availability
local-id {
2;
local-ip 22.0.0.2;
}
peer-id 1 {
peer-ip 22.0.0.1;
interface ge-0/0/5.0;
vpn-profile L3HA_IPSEC_VPN;
liveness-detection {
minimum-interval 300;
multiplier 3;
}
}
traceoptions {
file ha.log size 10m;
flag all;
level all;
}
services-redundancy-group 0 {
peer-id {
1;
}
}
services-redundancy-group 1 {
mode active-backup;
deployment-type routing;
peer-id {
1;
}
activeness-probe {
dest-ip {
111.0.0.1;
src-ip 11.0.0.1;
}
}
monitor {
bfd-liveliness 5.0.0.2 {
src-ip 5.0.0.1;
session-type singlehop;
interface ge-0/0/1.0;
}
interface {
ge-0/0/0;
}
}
active-signal-route {
39.1.1.1;
}
backup-signal-route {
39.1.1.2;
}
prefix-list SRG1_PFX;
prefix-list SRG1_V6_PFX;
managed-services ipsec;
process-packet-on-backup;
activeness-priority 100;
}
services-redundancy-group 2 {
peer-id {
1;
}
activeness-probe {
dest-ip {
111.0.0.1;
src-ip 11.1.0.1;
}
}
monitor {
bfd-liveliness 5.0.0.2 {
src-ip 5.0.0.1;
session-type singlehop;
interface ge-0/0/1.0;
}
interface {
ge-0/0/0;
}
}
active-signal-route {
49.1.1.1;
}
backup-signal-route {
49.1.1.2;
}
prefix-list SRG2_PFX;
prefix-list SRG2_V6_PFX;
managed-services ipsec;
preemption;
process-packet-on-backup;
activeness-priority 200;
}
[edit]
user@host#show security ike
traceoptions {
file iked size 10m;
flag all;
level 15;
}
respond-bad-spi 5;
proposal L3HA_IKE_PROP {
description l3ha_link_encr_tunnel;
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 300;
}
policy L3HA_IKE_POL {
description l3ha_link_encr_tunnel;
proposals L3HA_IKE_PROP;
pre-shared-key hexadecimal "$9$w0YaZDikPTzjiuO"; ## SECRET-DATA
}
gateway L3HA_IKE_GW {
ike-policy L3HA_IKE_POL;
version v2-only;
}
[edit]
user@host#show security ipsec
traceoptions {
flag all;
}
proposal L3HA_IPSEC_PROP {
description l3ha_link_encr_tunnel;
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 300;
}
policy L3HA_IPSEC_POL {
description l3ha_link_encr_tunnel;
proposals L3HA_IPSEC_PROP;
}
vpn L3HA_IPSEC_VPN {
ha-link-encryption;
ike {
gateway L3HA_IKE_GW;
ipsec-policy L3HA_IPSEC_POL;
}
}
[edit]
user@host#show policy-options
prefix-list SRG1_PFX {
11.0.0.0/24;
}
prefix-list SRG1_V6_PFX {
1100::/112;
}
prefix-list SRG2_PFX {
11.1.0.0/24;
}
prefix-list SRG2_V6_PFX {
1101::/112;
}
route-filter-list srg1_rf_ip6_list {
1100::/112 orlonger;
7000::/64 orlonger;
}
route-filter-list srg1_rf_list {
11.0.0.0/24 orlonger;
7.0.0.0/16 orlonger;
}
route-filter-list srg2_rf_ip6_list {
1101::/112 orlonger;
9000::/64 orlonger;
}
route-filter-list srg2_rf_list {
11.1.0.0/24 orlonger;
9.0.0.0/16 orlonger;
}
policy-statement ipsec_pol {
term 1 {
from {
route-filter-list srg1_rf_list;
condition active_route_exists_srg1;
}
then {
metric 10;
accept;
}
}
term 2 {
from {
route-filter-list srg1_rf_list;
condition backup_route_exists_srg1;
}
then {
metric 20;
accept;
}
}
term 3 {
from {
route-filter-list srg2_rf_list;
condition active_route_exists_srg2;
}
then {
metric 10;
accept;
}
}
term 4 {
from {
route-filter-list srg2_rf_list;
condition backup_route_exists_srg2;
}
then {
metric 20;
accept;
}
}
term 5 {
from {
route-filter-list srg1_rf_ip6_list;
condition active_route_exists_srg1;
}
then {
metric 10;
accept;
}
}
term 6 {
from {
route-filter-list srg1_rf_ip6_list;
condition backup_route_exists_srg1;
}
then {
metric 20;
accept;
}
}
term 7 {
from {
route-filter-list srg2_rf_ip6_list;
condition active_route_exists_srg2;
}
then {
metric 10;
accept;
}
}
term 8 {
from {
route-filter-list srg2_rf_ip6_list;
condition backup_route_exists_srg2;
}
then {
metric 20;
accept;
}
}
term 9 {
from protocol [ ari-ts static direct ];
then {
metric 30;
accept;
}
}
term default {
then reject;
}
}
condition active_route_exists_srg1 {
if-route-exists {
address-family {
inet {
39.1.1.1/32;
table inet.0;
}
}
}
}
condition active_route_exists_srg2 {
if-route-exists {
address-family {
inet {
49.1.1.1/32;
table inet.0;
}
}
}
}
condition backup_route_exists_srg1 {
if-route-exists {
address-family {
inet {
39.1.1.2/32;
table inet.0;
}
}
}
}
condition backup_route_exists_srg2 {
if-route-exists {
address-family {
inet {
49.1.1.2/32;
table inet.0;
}
}
}
}
[edit]
user@host#show routing-options
rib inet6.0 {
static {
route 1000::/64 next-hop 3000::1;
route 1110::1/128 next-hop 3000::1;
route 1110::2/128 next-hop 5000::2;
route 1200::/96 next-hop 5000::2;
route 6000::/64 next-hop 5000::2;
route 8000::/64 next-hop 3000::1;
}
}
autonomous-system 100;
static {
route 1.0.0.0/16 next-hop 3.0.0.1;
route 6.0.0.0/16 next-hop 5.0.0.2;
route 8.0.0.0/16 next-hop 3.0.0.1;
route 12.0.0.0/8 next-hop 5.0.0.2;
route 111.0.0.1/32 next-hop 3.0.0.1;
route 111.0.0.2/32 next-hop 5.0.0.2;
}
[edit]
user@host#show security zones
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
ping;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/1.0;
lo0.0;
}
}
security-zone vpn {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.1;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone halink {
host-inbound-traffic {
system-services {
ike;
ping;
high-availability;
ssh;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/5.0;
}
}
[edit]
user@host#show interfaces
ge-0/0/0 {
description trust;
unit 0 {
family inet {
address 3.0.0.2/16;
}
family inet6 {
address 3000::2/64;
}
}
}
ge-0/0/1 {
description untrust;
unit 0 {
family inet {
address 5.0.0.1/16;
}
family inet6 {
address 5000::1/64;
}
}
}
ge-0/0/5 {
description ha_link;
unit 0 {
family inet {
address 22.0.0.2/24;
}
family inet6 {
address 2200::2/112;
}
}
}
lo0 {
description untrust;
unit 0 {
family inet {
address 11.0.0.1/32;
address 11.0.0.11/32;
address 11.0.0.21/32;
address 11.0.0.31/32;
address 11.1.0.1/32;
address 11.1.0.11/32;
address 11.1.0.21/32;
address 11.1.0.31/32;
}
family inet6 {
address 1100::1/128;
address 1100::11/128;
address 1100::21/128;
address 1100::31/128;
address 1101::1/128;
address 1101::11/128;
address 1101::21/128;
address 1101::31/128;
}
}
}
st0 {
unit 1 {
family inet;
family inet6;
}
}
[edit]
user@host#
If you are done configuring the device, enter
commit from configuration mode.
user@host# commit warning: High Availability Mode changed, please reboot the device to avoid undesirable behavior commit complete
Verification
Confirm that the configuration is working properly.
- Check Multinode High Availability Details
- Check Multinode High Availability Peer Node Status
- Check Multinode High Availability Service Redundancy Groups
- Verify the Multinode High Availability Status Before and After Failover
- Verify Interchassis Link (ICL) Encryption Status
- Verify Link Encryption Tunnel Statistics
- Verify Interchassis Link Active Peers
Check Multinode High Availability Details
Purpose
View and verify the details of the Multinode High Availability setup configured on your security device.
Action
From operational mode, run the following command:
On SRX-1
user@host> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 1
Local-IP: 22.0.0.1
HA Peer Information:
Peer Id: 2 IP address: 22.0.0.2 Interface: ge-0/0/6.0
Routing Instance: default
Encrypted: YES Conn State: UP
Configured BFD Detection Time: 3 * 300ms
Cold Sync Status: COMPLETE
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 2
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 200
Preemption: ENABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
Services Redundancy Group: 2
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 100
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
On SRX-2
user@host> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 2
Local-IP: 22.0.0.2
HA Peer Information:
Peer Id: 1 IP address: 22.0.0.1 Interface: ge-0/0/6.0
Routing Instance: default
Encrypted: YES Conn State: UP
Configured BFD Detection Time: 3 * 300ms
Cold Sync Status: COMPLETE
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 100
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Services Redundancy Group: 2
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 200
Preemption: ENABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
Meaning
Verify these details from the command output:
-
Local node and peer node details such as IP address and ID.
-
The field
Encrypted: YESindicates that the traffic is protected. -
The field
Deployment Type: ROUTINGindicates a Layer 3 mode configuration—that is, the network has routers on both sides. -
The field
Services Redundancy Group: 1indicates the status of the SRG1 (ACTIVE or BACKUP) on that node.
Check Multinode High Availability Peer Node Status
Purpose
View and verify the peer node details.
Action
From operational mode, run the following command:
SRX-1
user@host> show chassis high-availability peer-info HA Peer Information: Peer-ID: 2 IP address: 22.0.0.2 Interface: ge-0/0/6.0 Routing Instance: default Encrypted: YES Conn State: UP Cold Sync Status: COMPLETE Internal Interface: st0.16000 Internal Local-IP: 180.100.1.1 Internal Peer-IP: 180.100.1.2 Internal Routing-instance: __juniper_private1__ Packet Statistics: Receive Error : 0 Send Error : 0 Packet-type Sent Received SRG Status Msg 12 13 SRG Status Ack 13 9 Attribute Msg 5 3 Attribute Ack 3 3
SRX-2
user@host> show chassis high-availability peer-info HA Peer Information: Peer-ID: 1 IP address: 22.0.0.1 Interface: ge-0/0/6.0 Routing Instance: default Encrypted: YES Conn State: UP Cold Sync Status: COMPLETE Internal Interface: st0.16000 Internal Local-IP: 180.100.1.2 Internal Peer-IP: 180.100.1.1 Internal Routing-instance: __juniper_private1__ Packet Statistics: Receive Error : 0 Send Error : 0 Packet-type Sent Received SRG Status Msg 13 10 SRG Status Ack 9 13 Attribute Msg 3 3 Attribute Ack 3 3
Meaning
Verify these details from the command output:
-
Peer node details such as interface used, IP address, and ID
-
Encryption status, connection status, and cold synchronization status
-
Packet statistics across the node.
Check Multinode High Availability Service Redundancy Groups
Purpose
Verify that the SRGs are configured and working correctly.
Action
From operational mode, run the following command:
SRG0 on SRX1
user@host> show chassis high-availability services-redundancy-group 0
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 2
SRG0 on SRX2
user@host> show chassis high-availability services-redundancy-group 0
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 1
SRG1 on SRX1
user@host> show chassis high-availability services-redundancy-group 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 200
Preemption: ENABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
Signal Route Info:
Active Signal Route:
IP: 39.1.1.1
Routing Instance: default
Status: INSTALLED
Backup Signal Route:
IP: 39.1.1.2
Routing Instance: default
Status: NOT INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 111.0.0.1
SRC-IP: 11.0.0.1
Routing Instance: default
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
BFD Monitoring:
Status: UP
SRC-IP: 4.0.0.1 DST-IP: 4.0.0.2
Routing Instance: default
Type: SINGLE-HOP
IFL Name: ge-0/0/1.0
State: UP
Interface Monitoring:
Status: UP
IF Name: ge-0/0/0 State: Up
IP SRGID Table:
SRGID IP Prefix Routing Table
1 11.0.0.0/24 default
1 1100::/112 default
SRG1 on SRX2
user@host> show chassis high-availability services-redundancy-group 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 100
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Signal Route Info:
Active Signal Route:
IP: 39.1.1.1
Routing Instance: default
Status: NOT INSTALLED
Backup Signal Route:
IP: 39.1.1.2
Routing Instance: default
Status: INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 111.0.0.1
SRC-IP: 11.0.0.1
Routing Instance: default
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
BFD Monitoring:
Status: UP
SRC-IP: 5.0.0.1 DST-IP: 5.0.0.2
Routing Instance: default
Type: SINGLE-HOP
IFL Name: ge-0/0/1.0
State: UP
Interface Monitoring:
Status: UP
IF Name: ge-0/0/0 State: Up
IP SRGID Table:
SRGID IP Prefix Routing Table
1 11.0.0.0/24 default
1 1100::/112 default
SRG2 on SRX1
user@host> show chassis high-availability services-redundancy-group 2
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 2
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 100
Preemption: DISABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Signal Route Info:
Active Signal Route:
IP: 49.1.1.1
Routing Instance: default
Status: NOT INSTALLED
Backup Signal Route:
IP: 49.1.1.2
Routing Instance: default
Status: INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 111.0.0.1
SRC-IP: 11.1.0.1
Routing Instance: default
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
BFD Monitoring:
Status: UP
SRC-IP: 4.0.0.1 DST-IP: 4.0.0.2
Routing Instance: default
Type: SINGLE-HOP
IFL Name: ge-0/0/1.0
State: UP
Interface Monitoring:
Status: UP
IF Name: ge-0/0/0 State: Up
IP SRGID Table:
SRGID IP Prefix Routing Table
2 11.1.0.0/24 default
2 1101::/112 default
SRG2 on SRX2
user@host> show chassis high-availability services-redundancy-group 2
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 2
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 200
Preemption: ENABLED
Process Packet In Backup State: YES
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
Signal Route Info:
Active Signal Route:
IP: 49.1.1.1
Routing Instance: default
Status: INSTALLED
Backup Signal Route:
IP: 49.1.1.2
Routing Instance: default
Status: NOT INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 111.0.0.1
SRC-IP: 11.1.0.1
Routing Instance: default
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
BFD Monitoring:
Status: UP
SRC-IP: 5.0.0.1 DST-IP: 5.0.0.2
Routing Instance: default
Type: SINGLE-HOP
IFL Name: ge-0/0/1.0
State: UP
Interface Monitoring:
Status: UP
IF Name: ge-0/0/0 State: Up
IP SRGID Table:
SRGID IP Prefix Routing Table
2 11.1.0.0/24 default
2 1101::/112 default
Meaning
Verify these details from the command output:
-
Peer node details such as deployment type, status, and active and back up signal routes.
-
Virtual IP Information such as IP address and virtual MAC address.
-
IP monitoring and BFD monitoring status.
Verify the Multinode High Availability Status Before and After Failover
Purpose
Check the change in node status before and after failover in a Multinode High Availability setup.
Action
To check the Multinode High Availability status on the backup node (SRX-2), run the following command from operational mode:
user@host> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 2
Local-IP: 10.22.0.2
HA Peer Information:
Peer Id: 1 IP address: 10.22.0.1 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: UP
Cold Sync Status: COMPLETE
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 1
Preemption: DISABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Under the Services Redundancy Group: 1 section, you can see the
Status: BACKUP field. This field value indicates that the
status of SRG 1 is backup.
Initiate the failover on the active node (SRX-1 device) and again run the command on the backup node (SRX-2 device).
user@host> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 2
Local-IP: 10.22.0.2
HA Peer Information:
Peer Id: 1 IP address: 10.22.0.1 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: DOWN
Cold Sync Status: IN PROGRESS
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 1
Preemption: DISABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
Note that under the Services Redundancy Group: 1 section, the
status of SRG1 has changed from BACKUP to
ACTIVE.
You can also see peer node details under the Peer Information
section. The output shows the status of peer as
BACKUP.
Verify Interchassis Link (ICL) Encryption Status
Purpose
Verify the interchassis link (ICL) status.
Action
From operational mode, run the following command:
On SRX-1:
user@host> show security ike security-associations ha-link-encryption Index State Initiator cookie Responder cookie Mode Remote Address 16776213 UP f6f06efd18e863e5 858d9a62ab3bf20c IKEv2 22.0.0.2
user@host> show security ipsec security-associations ha-link-encryption Total active tunnels: 1 Total IPsec sas: 4 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495011 ESP:aes-gcm-256/aes256-gcm 0x0004c6a1 116/ unlim - root 500 22.0.0.2 >495011 ESP:aes-gcm-256/aes256-gcm 0x000e5ff3 116/ unlim - root 500 22.0.0.2 <495011 ESP:aes-gcm-256/aes256-gcm 0x0404c6a1 116/ unlim - root 500 22.0.0.2 >495011 ESP:aes-gcm-256/aes256-gcm 0x040e5ff3 116/ unlim - root 500 22.0.0.2 <495011 ESP:aes-gcm-256/aes256-gcm 0x0804c6a1 116/ unlim - root 500 22.0.0.2 >495011 ESP:aes-gcm-256/aes256-gcm 0x080e5ff3 116/ unlim - root 500 22.0.0.2 <495011 ESP:aes-gcm-256/aes256-gcm 0x0c04c6a1 116/ unlim - root 500 22.0.0.2 >495011 ESP:aes-gcm-256/aes256-gcm 0x0c0e5ff3 116/ unlim - root 500 22.0.0.2
On SRX-2:
user@host> show security ike security-associations ha-link-encryption Index State Initiator cookie Responder cookie Mode Remote Address 16776277 UP f6f06efd18e863e5 858d9a62ab3bf20c IKEv2 22.0.0.1
user@host> show security ipsec security-associations ha-link-encryption Total active tunnels: 1 Total IPsec sas: 4 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495051 ESP:aes-gcm-256/aes256-gcm 0x000e5ff3 93 / unlim - root 500 22.0.0.1 >495051 ESP:aes-gcm-256/aes256-gcm 0x0004c6a1 93 / unlim - root 500 22.0.0.1 <495051 ESP:aes-gcm-256/aes256-gcm 0x040e5ff3 93 / unlim - root 500 22.0.0.1 >495051 ESP:aes-gcm-256/aes256-gcm 0x0404c6a1 93 / unlim - root 500 22.0.0.1 <495051 ESP:aes-gcm-256/aes256-gcm 0x080e5ff3 93 / unlim - root 500 22.0.0.1 >495051 ESP:aes-gcm-256/aes256-gcm 0x0804c6a1 93 / unlim - root 500 22.0.0.1 <495051 ESP:aes-gcm-256/aes256-gcm 0x0c0e5ff3 93 / unlim - root 500 22.0.0.1 >495051 ESP:aes-gcm-256/aes256-gcm 0x0c04c6a1 93 / unlim - root 500 22.0.0.1
Meaning
The command output provides the following information:
-
The local gateway and remote gateway details.
-
The IPsec SA pair for each threads in PIC.
-
HA link encryption mode (as shown in the following line):
HA Link Encryption Mode: Multi-Node -
Authentication and encryption algorithms used
Verify Link Encryption Tunnel Statistics
Purpose
Verify link encryption tunnel statistics on both active and backup nodes.
Action
From operational mode, run the following command:
SRX1
user@host> show security ipsec statistics ha-link-encryption ESP Statistics: Encrypted bytes: 1171248 Decrypted bytes: 681032 Encrypted packets: 8492 Decrypted packets: 8405 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 Invalid SPI: 5, TS check fail: 0 Exceeds tunnel MTU: 0 Discarded: 5
SRX2
user@host> show security ipsec statistics ha-link-encryption ESP Statistics: Encrypted bytes: 1193340 Decrypted bytes: 717524 Encrypted packets: 8723 Decrypted packets: 8809 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 Invalid SPI: 1, TS check fail: 0 Exceeds tunnel MTU: 0 Discarded: 1
Meaning
If you see packet loss issues across a VPN, you can run the show
security ipsec statistics ha-link-encryption command several
times to verify that the encrypted and decrypted packet counters are
incrementing. You should also check whether the other error counters are
incrementing.
Use the
clear security ipsec security-associations
ha-link-encryption
command to clear all IPsec statistics.
Verify Interchassis Link Active Peers
Purpose
View only ICL active peers, but not regular IKE active peers.
Action
From operational mode, run the following command:
SRX-1
user@host> show security ike active-peer ha-link-encryption Remote Address Port Peer IKE-ID AAA username Assigned IP 22.0.0.2 500 22.0.0.2 not available 0.0.0.0
SRX-2
user@host> show security ike active-peer ha-link-encryption Remote Address Port Peer IKE-ID AAA username Assigned IP 22.0.0.1 500 22.0.0.1 not available 0.0.0.0
Meaning
Command output displays only the active peer of the ICL with details such as the peer addresses and ports the active peer is using.