Selective Session Synchronization for Multinode High Availability
Learn how selective session synchronization lets you control synchronization preferences in both two-node and four-node Multinode High Availability setups.
The multinode high availability (MNHA) feature enhances resilience and performance by ensuring the concurrent activity of both control and data planes across participating nodes. A four-node MNHA synchronizes flow sessions between the peer nodes through:
- Cold Synchronization—This happens when a new node joins the MNHA cluster. The
system needs to synchronize all active flow session states from the existing nodes to the
new one. This ensures the new node has the same session data as its peers, so it can take
over traffic seamlessly if needed.
Benefit: Reduce the full synchronization time, which means the new node can become active faster and start participating in load sharing or failover.
- Hot Synchronization—This occurs continuously during normal operation. Whenever a
new session is created, its state is immediately synchronized to the peer node. This ensures
real-time redundancy—if one node fails, the peer can take over without losing session data.
Benefit: Improve CPS (connections per second) performance, meaning the system can handle more new sessions per second efficiently.
This dual approach optimizes system performance by reducing the need for repeated state replications, thereby enhancing session synchronization efficiency.
Selective session synchronization allows you to manage session synchronization preferences in a two-node MNHA and in a four-node MNHA using the following options:
-
Session synchronization based on policy and age—This option allows you to disable synchronization for short-lived sessions or set a minimum age for session synchronization.
-
Default and user-defined profiles—This option allows you to configure default flow profile or user-defined flow profiles for session synchronization. The default profile applies if no user-defined profile is set.
Benefits of Multinode High Availability (MNHA)
-
Optimizes system performance by synchronizing sessions through cold and hot synchronization methods, reducing the need for repeated state replications.
-
Enables fine-grained session management through customizable sync policies, durations, and profiles—supporting both default flow profile and user-defined flow profile configurations to meet specific network needs.
Configuring Selective Session Synchronization
To configure selective session synch, you need to define the following options (sessions synch based on session age or disable session synchronize) in the default flow profile or in a user defined flow profile.
session-sync disabled: Disables synchronization of sessions over both inter domain link (IDL) and interchassis link (ICL). Use this option for certain policies such as short lived sessions for DNS, HTTP.session-sync-min-age: Synchronizes the sessions only after it is established for minimum session age duration. You can set the values between 0 to 3600 seconds. By default, the value is set to 0, meaning all sessions are synchronized immediately.
Configure Defalut Flow Profile
By default all the policies use the default-profile if none of the user defined profile is attached to policy. Default values for default flow profile are sync sessions immediately over intra domain (ICL) and inter domain (IDL) links.
[edit] user@host# set security flow flow-profile default_profile session-sync-min-age <0-3600>
Or
[edit] user@host# set security flow flow-profile default_profile session-sync disabled
Configure User-Defined Flow Profile
You can define a profile (user defined profile) and apply it in a security policy. If user defined profile is not attached to policy, then default profile will be applied in the security policy.
- Create a new flow profile called "p1_profile" and define session synchronization
options:
Disable session synchronization or custom synchronization
[edit] user@host# set security flow flow-profile p1_profile session-sync disabled
Or
[edit] user@host# set security flow flow-profile p1_profile session-sync-min-age 5
- Apply the profile in a security
policy:
[edit] user@host# set security policies from-zone npw to-zone npw policy npw_1 match source-address any user@host# set security policies from-zone npw to-zone npw policy npw_1 match destination-address any user@host# set security policies from-zone npw to-zone npw policy npw_1 match application any user@host# set security policies from-zone npw to-zone npw policy npw_1 then permit user@host# set security policies from-zone npw to-zone npw policy npw_1 then permit flow-profile p1_profile
Profile switching behavior—When switching from one profile (such as
p1_profile) to another (such as p2_profile), the new
profile settings apply only to newly created sessions. Existing sessions continue to
operate under the previously applied profile.
Default profile usage—System policies such as pre-id-default policy or default policy, or any other policy without an explicitly configured profile will automatically use the default profile settings.
To check the session-sync status on MNHA nodes, use the following commands:
show security flow session summaryShow flow session details, including the number of sessions synchronized to ICL and IDL when selective-session-sync options are applied.
user@host> show security flow session summary Unicast-sessions: 16 Multicast-sessions: 0 Services-offload-sessions: 0 Failed-sessions: 0 Sessions-in-drop-flow: 0 Selective-sync-session: 13 Sessions-in-use: 16 Valid sessions: 16 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 262144show security flow session selective-session-sync-disabledShow details of all sessions that were not synced to the peer node due to the session-sync disabled configuration.
user@host> show security flow session selective-sync-disabled Session ID: 107, Policy name: in_policy/4, HA State: Active, Timeout: 108, Session State: Valid In: 3.0.0.1/56206 --> 6.0.0.1/22;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 24, Bytes: 3749, HA Wing State: Active, Out: 6.0.0.1/22 --> 3.0.0.1/56206;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 24, Bytes: 5117, HA Wing State: Active, Session ID: 108, Policy name: in_policy/4, HA State: Active, Timeout: 124, Session State: Valid In: 3.0.0.1/58442 --> 6.0.0.1/22;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 24, Bytes: 3749, HA Wing State: Active, Out: 6.0.0.1/22 --> 3.0.0.1/58442;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 24, Bytes: 5117, HA Wing State: Active, Total sessions: 2