Example: Configure Multinode High Availability in a Default Gateway Deployment
This topic describes how to configure Multinode High Availability in active/backup mode for a default gateway (Layer 2) deployment.
Overview
For the list of supported features across different platforms and software releases, see Feature Explorer.
In Multinode High Availability, participating Junos Firewalls operate as independent nodes in a Layer 2 network. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. Participating nodes backup each other to ensure a fast synchronized failover in case of system or hardware failure.
In MNHA default gateway (L2) mode, both SRX Series Firewall nodes appear as a single gateway by sharing a virtual IP (VIP) and MAC address. Devices in the network use this VIP as their default gateway, so these devices don’t need to know which node is actually handling the traffic. Each group has one active node that forwards traffic and one backup node for failover, making it a simple and transparent next-hop design for the network.
Requirements
This example uses the following hardware and software components:
- Two supported Junos firewalls or virtual Firewall Instances
- Two Juniper Networks Switches at the other end
- Junos OS Release 26.2R1
Topology
Figure 1 shows the topology used in this example.
In this topology, clients in the LAN send traffic to the default gateway (the VIP). The switch forwards this traffic to both SRX Series Firewall nodes, but only the active node for that SRG (for example, SRX‑01 in the diagram) owns the VIP and processes the packets. The active node performs security checks, creates sessions, and forwards the traffic toward the untrust side. At the same time, it synchronizes session information with the backup node over the ICL link so that the peer is always ready to take over.
If the active node or its path fails, the backup node quickly takes over the VIP and vMAC. Traffic from the LAN and untrust side is then redirected to the new active node without requiring any changes on the hosts. Because sessions were already synchronized, most flows continue with minimal disruption, providing seamless failover in the network.
This example uses direct connections between the SRX Series Firewalls and switches for simplicity; in particular, the inter‑chassis link (ICL) in the HA Link zone is established using the ge-0/0/2.0 interface directly between devices. However, in production deployments, these links can also traverse an intermediate routed network.
Table 1 shows the details on interfaces configuration used in this example.
| Device | Interface | Zone | IP Address | Configured For |
|---|---|---|---|---|
| SRX-01 | ge-0/0/2.0 | halink | 10.22.0.1/24 | Interchassis -link (ICL) |
| ge-0/0/3.0 | trust | 10.1.0.1/24 | Connects to Switch-01 | |
| ge-0/0/4.0 | untrust | 10.2.0.1/24 | Connects to Switch-02 | |
| SRX-02 | ge-0/0/2.0 | halink | 10.22.0.2/24 | Interchassis -link (ICL) |
| ge-0/0/3.0 | trust | 10.1.0.2/24 | Connects to Switch-01 | |
| ge-0/0/4.0 | untrust | 10.2.0.2/24 | Connects to Switch-02 |
You'll perform the following tasks to build an MNHA setup:
- Configure a pair of firewalls as local and peer nodes by assigning IDs.
- Configure services redundancy groups (SRGs).
- Configure virtual IP addresses for activeness determination and enforcement. In this
example, a single virtual IP is configured with both IPv4 and IPv6 addresses
using multiple
ipstatements to enable dual-stack support. - Configure a VPN profile for the high availability (ICL) traffic using IKEv2.
- Configure appropriate security policies to manage traffic in your network.
- Configure interfaces and zones according your network requirement. You must allow services such as IKE for link encryption and SSH for configuration synchronization as host inbound system services on the security zone that is associated with the ICL.
Configuration
Before You Begin
Junos IKE package is required on your firewalls for MNHA configuration. This package is available as a default package or as an optional package on firewalls. See Support for Junos IKE Package for details.
If the package is not installed by default on your device, use the following command to install it. You require this step for ICL encryption.
user@host> request system software add optional://junos-ike.tgz Verified junos-ike signed by PackageProductionECP256_2022 method ECDSA256+SHA256 Rebuilding schema and Activating configuration... mgd: commit complete Restarting MGD ... WARNING: cli has been replaced by an updated version: CLI release 20220208.163814_builder.r1239105 built by builder on 2022-02-08 17:07:55 UTC Restart cli using the new version ? [yes,no] (yes)
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a
text file, remove any line breaks, change any details necessary to match your
network configuration. Next, copy and paste the commands into the CLI at the
[edit] hierarchy level, and then enter
commit from configuration mode.
On SRX-01
set chassis high-availability local-id 1 set chassis high-availability local-id local-ip 10.22.0.1 set chassis high-availability peer-id 2 peer-ip 10.22.0.2 set chassis high-availability peer-id 2 interface ge-0/0/2.0 set chassis high-availability peer-id 2 vpn-profile IPSEC_VPN_ICL set chassis high-availability peer-id 2 liveness-detection minimum-interval 200 set chassis high-availability peer-id 2 liveness-detection multiplier 3 set chassis high-availability services-redundancy-group 1 deployment-type switching set chassis high-availability services-redundancy-group 1 peer-id 2 set chassis high-availability services-redundancy-group 1 virtual-ip 1 ip 10.1.0.200/24 set chassis high-availability services-redundancy-group 1 virtual-ip 1 ip 2001:db8:6700::3/64 set chassis high-availability services-redundancy-group 1 virtual-ip 1 interface ge-0/0/3.0 set chassis high-availability services-redundancy-group 1 virtual-ip 1 use-virtual-mac set chassis high-availability services-redundancy-group 1 virtual-ip 2 ip 10.2.0.200/24 set chassis high-availability services-redundancy-group 1 virtual-ip 2 ip 2001:db8:6701::7/64 set chassis high-availability services-redundancy-group 1 virtual-ip 2 interface ge-0/0/4.0 set chassis high-availability services-redundancy-group 1 virtual-ip 2 use-virtual-mac set chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/3 set chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/4 set chassis high-availability services-redundancy-group 1 preemption set chassis high-availability services-redundancy-group 1 activeness-priority 200 set security ike proposal MNHA_IKE_PROP description mnha_link_encr_tunnel set security ike proposal MNHA_IKE_PROP authentication-method pre-shared-keys set security ike proposal MNHA_IKE_PROP dh-group group14 set security ike proposal MNHA_IKE_PROP authentication-algorithm sha-256 set security ike proposal MNHA_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal MNHA_IKE_PROP lifetime-seconds 3600 set security ike policy MNHA_IKE_POL description mnha_link_encr_tunnel set security ike policy MNHA_IKE_POL proposals MNHA_IKE_PROP set security ike policy MNHA_IKE_POL pre-shared-key ascii-text "$ABC123" set security ike gateway MNHA_IKE_GW ike-policy MNHA_IKE_POL set security ike gateway MNHA_IKE_GW version v2-only set security ipsec proposal MNHA_IPSEC_PROP description mnha_link_encr_tunnel set security ipsec proposal MNHA_IPSEC_PROP protocol esp set security ipsec proposal MNHA_IPSEC_PROP encryption-algorithm aes-256-gcm set security ipsec proposal MNHA_IPSEC_PROP lifetime-seconds 3600 set security ipsec policy MNHA_IPSEC_POL description mnha_link_encr_tunnel set security ipsec policy MNHA_IPSEC_POL proposals MNHA_IPSEC_PROP set security ipsec vpn IPSEC_VPN_ICL ha-link-encryption set security ipsec vpn IPSEC_VPN_ICL ike gateway MNHA_IKE_GW set security ipsec vpn IPSEC_VPN_ICL ike ipsec-policy MNHA_IPSEC_POL set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust host-inbound-traffic protocols bfd set security zones security-zone untrust host-inbound-traffic protocols bgp set security zones security-zone untrust interfaces lo0.0 set security zones security-zone untrust interfaces ge-0/0/4.0 set security zones security-zone trust host-inbound-traffic system-services ike set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic protocols bgp set security zones security-zone trust host-inbound-traffic protocols bfd set security zones security-zone trust interfaces ge-0/0/3.0 set security zones security-zone halink host-inbound-traffic system-services ike set security zones security-zone halink host-inbound-traffic system-services ping set security zones security-zone halink host-inbound-traffic system-services high-availability set security zones security-zone halink host-inbound-traffic system-services ssh set security zones security-zone halink host-inbound-traffic protocols bfd set security zones security-zone halink host-inbound-traffic protocols bgp set security zones security-zone halink interfaces ge-0/0/2.0 set security policies default-policy permit-all set interfaces ge-0/0/2 description ha_link set interfaces ge-0/0/2 unit 0 family inet address 10.22.0.1/24 set interfaces ge-0/0/3 description trust set interfaces ge-0/0/3 unit 0 family inet address 10.1.0.1/24 set interfaces ge-0/0/4 description untrust set interfaces ge-0/0/4 unit 0 family inet address 10.2.0.1/24
On SRX-02
set chassis high-availability local-id 2 set chassis high-availability local-id local-ip 10.22.0.2 set chassis high-availability peer-id 1 peer-ip 10.22.0.1 set chassis high-availability peer-id 1 interface ge-0/0/2.0 set chassis high-availability peer-id 1 vpn-profile IPSEC_VPN_ICL set chassis high-availability peer-id 1 liveness-detection minimum-interval 200 set chassis high-availability peer-id 1 liveness-detection multiplier 3 set chassis high-availability services-redundancy-group 1 deployment-type switching set chassis high-availability services-redundancy-group 1 peer-id 1 set chassis high-availability services-redundancy-group 1 virtual-ip 1 ip 10.1.0.200/24 set chassis high-availability services-redundancy-group 1 virtual-ip 1 ip 2001:db8:6700::3/64 set chassis high-availability services-redundancy-group 1 virtual-ip 1 interface ge-0/0/3.0 set chassis high-availability services-redundancy-group 1 virtual-ip 1 use-virtual-mac set chassis high-availability services-redundancy-group 1 virtual-ip 2 ip 10.2.0.200/24 set chassis high-availability services-redundancy-group 1 virtual-ip 2 ip 2001:db8:6701::7/64 set chassis high-availability services-redundancy-group 1 virtual-ip 2 interface ge-0/0/4.0 set chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/3 set chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/4 set chassis high-availability services-redundancy-group 1 activeness-priority 1 set security ike proposal MNHA_IKE_PROP description mnha_link_encr_tunnel set security ike proposal MNHA_IKE_PROP authentication-method pre-shared-keys set security ike proposal MNHA_IKE_PROP dh-group group14 set security ike proposal MNHA_IKE_PROP authentication-algorithm sha-256 set security ike proposal MNHA_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal MNHA_IKE_PROP lifetime-seconds 3600 set security ike policy MNHA_IKE_POL description mnha_link_encr_tunnel set security ike policy MNHA_IKE_POL proposals MNHA_IKE_PROP set security ike policy MNHA_IKE_POL pre-shared-key ascii-text "$ABC123" set security ike gateway MNHA_IKE_GW ike-policy MNHA_IKE_POL set security ike gateway MNHA_IKE_GW version v2-only set security ipsec proposal MNHA_IPSEC_PROP description mnha_link_encr_tunnel set security ipsec proposal MNHA_IPSEC_PROP protocol esp set security ipsec proposal MNHA_IPSEC_PROP encryption-algorithm aes-256-gcm set security ipsec proposal MNHA_IPSEC_PROP lifetime-seconds 3600 set security ipsec policy MNHA_IPSEC_POL description mnha_link_encr_tunnel set security ipsec policy MNHA_IPSEC_POL proposals MNHA_IPSEC_PROP set security ipsec vpn IPSEC_VPN_ICL ha-link-encryption set security ipsec vpn IPSEC_VPN_ICL ike gateway MNHA_IKE_GW set security ipsec vpn IPSEC_VPN_ICL ike ipsec-policy MNHA_IPSEC_POL set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust host-inbound-traffic protocols bfd set security zones security-zone untrust host-inbound-traffic protocols bgp set security zones security-zone untrust interfaces lo0.0 set security zones security-zone untrust interfaces ge-0/0/4.0 set security zones security-zone trust host-inbound-traffic system-services ike set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust host-inbound-traffic system-services ssh set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols bgp set security zones security-zone trust host-inbound-traffic protocols bfd set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/3.0 set security zones security-zone halink host-inbound-traffic system-services ike set security zones security-zone halink host-inbound-traffic system-services ping set security zones security-zone halink host-inbound-traffic system-services high-availability set security zones security-zone halink host-inbound-traffic system-services ssh set security zones security-zone halink host-inbound-traffic protocols bfd set security zones security-zone halink host-inbound-traffic protocols bgp set security zones security-zone halink interfaces ge-0/0/2.0 set security policies default-policy permit-all set interfaces ge-0/0/2 description ha_link set interfaces ge-0/0/2 unit 0 family inet address 10.22.0.2/24 set interfaces ge-0/0/3 description trust set interfaces ge-0/0/3 unit 0 family inet address 10.1.0.2/24 set interfaces ge-0/0/4 description untrust set interfaces ge-0/0/4 unit 0 family inet address 10.2.0.2/24
The following sections show configuration snippets on the switches required for setting up MNHA setup in the network.
On Switch -01
set interfaces ge-0/0/0 description to-vsrx-1 set interfaces ge-0/0/0 mtu 9192 set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members lan set interfaces ge-0/0/1 description to-vsrx-2 set interfaces ge-0/0/1 mtu 9192 set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members lan set interfaces ge-0/0/2 description lan set interfaces ge-0/0/2 mtu 9192 set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members lan set vlans lan vlan-id 1001
On Switch -02
set interfaces ge-0/0/0 description to-vsrx-1 set interfaces ge-0/0/0 mtu 9192 set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members lan set interfaces ge-0/0/1 description to-vsrx-2 set interfaces ge-0/0/1 mtu 9192 set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members lan set vlans lan vlan-id 1001
Configuration
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
-
Configure the physical interfaces with appropriate descriptions and IP addresses.
SRX-01
[edit] user@host# set interfaces ge-0/0/2 description ha_link user@host# set interfaces ge-0/0/2 unit 0 family inet address 10.22.0.1/24 user@host# set interfaces ge-0/0/3 description trust user@host# set interfaces ge-0/0/3 unit 0 family inet address 10.1.0.1/24 user@host# set interfaces ge-0/0/4 description untrust user@host# set interfaces ge-0/0/4 unit 0 family inet address 10.2.0.1/24
- SRX-02
[edit] user@host# set interfaces ge-0/0/2 description ha_link user@host# set interfaces ge-0/0/2 unit 0 family inet address 10.22.0.2/24 user@host# set interfaces ge-0/0/3 description trust user@host# set interfaces ge-0/0/3 unit 0 family inet address 10.1.0.2/24 user@host# set interfaces ge-0/0/4 description untrust user@host# set interfaces ge-0/0/4 unit 0 family inet address 10.2.0.2/24
- Configure the security policy. SRX-01 and SRX-02
[edit] user@host# set security policies default-policy permit-all
CAUTION:The security policy shown in this example is only for demonstration and testing. You should configure security policies as per your network needs. Ensure that your security policies allow only the applications, users, and devices that you trust. -
Configure security zones, assign interfaces to the zones, and specify the allowed system services for the security zones.
- SRX-01
[edit] user@host# set security zones security-zone untrust host-inbound-traffic system-services ike user@host# set security zones security-zone untrust host-inbound-traffic system-services ping user@host# set security zones security-zone untrust host-inbound-traffic system-services ssh user@host# set security zones security-zone untrust host-inbound-traffic protocols bfd user@host# set security zones security-zone untrust host-inbound-traffic protocols bgp user@host# set security zones security-zone untrust interfaces ge-0/0/4.0 user@host# set security zones security-zone trust host-inbound-traffic system-services ike user@host# set security zones security-zone trust host-inbound-traffic system-services ping user@host# set security zones security-zone trust host-inbound-traffic system-services ssh user@host# set security zones security-zone trust host-inbound-traffic protocols bgp user@host# set security zones security-zone trust host-inbound-traffic protocols bfd user@host# set security zones security-zone trust interfaces ge-0/0/3.0 user@host# set security zones security-zone halink host-inbound-traffic system-services ike user@host# set security zones security-zone halink host-inbound-traffic system-services ping user@host# set security zones security-zone halink host-inbound-traffic system-services high-availability user@host# set security zones security-zone halink host-inbound-traffic system-services ssh user@host# set security zones security-zone halink host-inbound-traffic protocols bfd user@host# set security zones security-zone halink host-inbound-traffic protocols bgp user@host# set security zones security-zone halink interfaces ge-0/0/2.0
- SRX-02
[edit] user@host# set security zones security-zone untrust host-inbound-traffic system-services ike user@host# set security zones security-zone untrust host-inbound-traffic system-services ping user@host# set security zones security-zone untrust host-inbound-traffic system-services ssh user@host# set security zones security-zone untrust host-inbound-traffic protocols bfd user@host# set security zones security-zone untrust host-inbound-traffic protocols bgp user@host# set security zones security-zone untrust interfaces ge-0/0/4.0 user@host# set security zones security-zone trust host-inbound-traffic system-services ike user@host# set security zones security-zone trust host-inbound-traffic system-services ping user@host# set security zones security-zone trust host-inbound-traffic system-services ssh user@host# set security zones security-zone trust host-inbound-traffic system-services all user@host# set security zones security-zone trust host-inbound-traffic protocols bgp user@host# set security zones security-zone trust host-inbound-traffic protocols bfd user@host# set security zones security-zone trust host-inbound-traffic protocols all user@host# set security zones security-zone trust interfaces ge-0/0/3.0 user@host# set security zones security-zone halink host-inbound-traffic system-services ike user@host# set security zones security-zone halink host-inbound-traffic system-services ping user@host# set security zones security-zone halink host-inbound-traffic system-services high-availability user@host# set security zones security-zone halink host-inbound-traffic system-services ssh user@host# set security zones security-zone halink host-inbound-traffic protocols bfd user@host# set security zones security-zone halink host-inbound-traffic protocols bgp user@host# set security zones security-zone halink interfaces ge-0/0/2.0
For an MNHA setup, this configuration typically includes allowing IKE, BGP, and BFD. Always tailor the security rules to align with your network and security requirements.
- SRX-01
-
Configure Chassis High Availability Identity. Establish the local device identity and peer relationship.
- SRX-01
[edit] user@host# set chassis high-availability local-id 1 user@host# set chassis high-availability local-id local-ip 10.22.0.1 user@host# set chassis high-availability peer-id 2 peer-ip 10.22.0.2 user@host# set chassis high-availability peer-id 2 interface ge-0/0/2.0
- SRX-02
[edit] user@host# set chassis high-availability local-id 2 user@host# set chassis high-availability local-id local-ip 10.22.0.2 user@host# set chassis high-availability peer-id 1 peer-ip 10.22.0.1 user@host# set chassis high-availability peer-id 1 interface ge-0/0/2.0
You'll use the ge-0/0/2 interface for communicating with the peer node using the ICL.
- SRX-01
-
Attach the IPsec VPN profile IPSEC_VPN_ICL to the peer node.
- SRX-01
[edit] user@host# set chassis high-availability peer-id 2 vpn-profile IPSEC_VPN_ICL
- SRX-02
[edit] user@host# set chassis high-availability peer-id 1 vpn-profile IPSEC_VPN_ICL
You'll need this configuration to establish a secure ICL link between the nodes.
- SRX-01
-
Configure liveness detection parameters.
- SRX-01
[edit] user@host# set chassis high-availability peer-id 2 liveness-detection minimum-interval 200 user@host# set chassis high-availability peer-id 2 liveness-detection multiplier 3
- SRX-02
[edit] user@host# set chassis high-availability peer-id 1 liveness-detection minimum-interval 200 user@host# set chassis high-availability peer-id 1 liveness-detection multiplier 3
- SRX-01
-
Create the SRG with deployment type and peer association.
- SRX-01
[edit] user@host# set chassis high-availability services-redundancy-group 1 deployment-type switching user@host# set chassis high-availability services-redundancy-group 1 peer-id 2 user@host# set chassis high-availability services-redundancy-group 1 preemption user@host# set chassis high-availability services-redundancy-group 1 activeness-priority 200
- SRX-02
[edit] user@host# set chassis high-availability services-redundancy-group 1 deployment-type switching user@host# set chassis high-availability services-redundancy-group 1 peer-id 1 user@host# set chassis high-availability services-redundancy-group 1 activeness-priority 1
- SRX-01
- Set up virtual IP addresses and interface for seamless failover.
- SRX-01
[edit] user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 1 ip 10.1.0.200/24 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 1 ip 2001:db8:6700::3/64 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 1 interface ge-0/0/3.0 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 1 use-virtual-mac user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 2 ip 10.2.0.200/24 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 2 ip 2001:db8:6701::7/64 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 2 interface ge-0/0/4.0 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 2 use-virtual-mac
- SRX-02
[edit] user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 1 ip 10.1.0.200/24 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 1 ip 2001:db8:6700::3/64 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 1 interface ge-0/0/3.0 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 1 use-virtual-mac user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 2 ip 10.2.0.200/24 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 2 ip 2001:db8:6701::7/64 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 2 interface ge-0/0/4.0 user@host# set chassis high-availability services-redundancy-group 1 virtual-ip 2 use-virtual-mac
Note: Configuring theuse-virtual-macoption is the recommended option in most cases, except where the surrounding infrastructure would not support a moving virtual MAC address active on a port in addition to the local MAC address.
- SRX-01
-
Enable monitoring of critical interfaces for automatic failover:
- SRX-01
[edit] user@host# set chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/3 user@host# set chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/4
- SRX-02
[edit] user@host# set chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/3 user@host# set chassis high-availability services-redundancy-group 1 monitor interface ge-0/0/4
- SRX-01
-
Encrypt the ICL by configuring an IKEv2-based VPN profile, and define the required IKE and IPsec parameters.
SRX-01 and SRX-02
[edit] user@host# set security ike proposal MNHA_IKE_PROP description mnha_link_encr_tunnel user@host# set security ike proposal MNHA_IKE_PROP authentication-method pre-shared-keys user@host# set security ike proposal MNHA_IKE_PROP dh-group group14 user@host# set security ike proposal MNHA_IKE_PROP authentication-algorithm sha-256 user@host# set security ike proposal MNHA_IKE_PROP encryption-algorithm aes-256-cbc user@host# set security ike proposal MNHA_IKE_PROP lifetime-seconds 3600 user@host# set security ike policy MNHA_IKE_POL description mnha_link_encr_tunnel user@host# set security ike policy MNHA_IKE_POL proposals MNHA_IKE_PROP user@host# set security ike policy MNHA_IKE_POL pre-shared-key ascii-text "$ABC123" user@host# set security ike gateway MNHA_IKE_GW ike-policy MNHA_IKE_POL user@host# set security ike gateway MNHA_IKE_GW version v2-only user@host# set security ipsec proposal MNHA_IPSEC_PROP description mnha_link_encr_tunnel user@host# set security ipsec proposal MNHA_IPSEC_PROP protocol esp user@host# set security ipsec proposal MNHA_IPSEC_PROP encryption-algorithm aes-256-gcm user@host# set security ipsec proposal MNHA_IPSEC_PROP lifetime-seconds 3600 user@host# set security ipsec policy MNHA_IPSEC_POL description mnha_link_encr_tunnel user@host# set security ipsec policy MNHA_IPSEC_POL proposals MNHA_IPSEC_PROP user@host# set security ipsec vpn IPSEC_VPN_ICL ha-link-encryption user@host# set security ipsec vpn IPSEC_VPN_ICL ike gateway MNHA_IKE_GW user@host# set security ipsec vpn IPSEC_VPN_ICL ike ipsec-policy MNHA_IPSEC_POL
For the MNHA feature, you must configure the IKE version as
v2-onlyand specify theha-link-encryptionoption to encrypt the ICL to secure high availability traffic flow between the nodes.
Results (SRX-01)
From configuration mode, confirm your configuration by entering the following commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show chassis high-availability
local-id {
1;
local-ip 10.22.0.1;
}
peer-id 2 {
peer-ip 10.22.0.2;
interface ge-0/0/2.0;
vpn-profile IPSEC_VPN_ICL;
liveness-detection {
minimum-interval 200;
multiplier 3;
}
}
services-redundancy-group 1 {
deployment-type switching;
peer-id {
2;
}
virtual-ip 1 {
ip 2001:db8:6700::3/64;
ip 10.1.0.200/24;
interface ge-0/0/3.0;
use-virtual-mac;
}
virtual-ip 2 {
ip 2001:db8:6701::7/64;
ip 10.2.0.200/24;
interface ge-0/0/4.0;
use-virtual-mac;
}
monitor {
interface {
ge-0/0/3;
ge-0/0/4;
}
}
preemption;
activeness-priority 200;
}
[edit]
user@host# show security ike
proposal MNHA_IKE_PROP {
description "mnha_link_encr_tunnel";
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy MNHA_IKE_POL {
description "mnha_link_encr_tunnel";
proposals MNHA_IKE_PROP;
pre-shared-key {
ascii-text "$ABC123";
}
}
gateway MNHA_IKE_GW {
ike-policy MNHA_IKE_POL;
version v2-only;
}
}
[edit]
user@host# show security ipsec
proposal MNHA_IPSEC_PROP {
description "mnha_link_encr_tunnel";
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy MNHA_IPSEC_POL {
description "mnha_link_encr_tunnel";
proposals MNHA_IPSEC_PROP;
}
vpn IPSEC_VPN_ICL {
ha-link-encryption;
ike {
gateway MNHA_IKE_GW;
ipsec-policy MNHA_IPSEC_POL;
}
}
[edit]
user@host# show security zones
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
ping;
ssh;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/4.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
ike;
ping;
ssh;
}
protocols {
bgp;
bfd;
}
}
interfaces {
ge-0/0/3.0;
}
}
security-zone halink {
host-inbound-traffic {
system-services {
ike;
ping;
high-availability;
ssh;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/2.0;
}
} [edit]
user@host# show interfaces
ge-0/0/2 {
description ha_link;
unit 0 {
family inet {
address 10.22.0.1/24;
}
}
}
ge-0/0/3 {
description trust;
unit 0 {
family inet {
address 10.1.0.1/24;
}
}
}
ge-0/0/4 {
description untrust;
unit 0 {
family inet {
address 10.2.0.1/24;
}
}
}
If you are done configuring the device, enter commit from
configuration mode.
Results (SRX-02)
From configuration mode, confirm your configuration by entering the following commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show chassis high-availability
local-id {
2;
local-ip 10.22.0.1;
}
peer-id 1 {
peer-ip 10.22.0.2;
interface ge-0/0/2.0;
vpn-profile IPSEC_VPN_ICL;
liveness-detection {
minimum-interval 200;
multiplier 3;
}
}
services-redundancy-group 1 {
deployment-type switching;
peer-id {
1;
}
virtual-ip 1 {
ip 10.1.0.200/16;
ip 2001:db8:6700::3/64;
interface ge-0/0/3.0;
use-virtual-mac;
}
virtual-ip 2 {
ip 10.2.0.200/16;
ip 2001:db8:6701::7/64;
interface ge-0/0/4.0;
use-virtual-mac;
}
monitor {
interface {
ge-0/0/3;
ge-0/0/4;
}
}
activeness-priority 1;
}
[edit]
user@host# show security ike
proposal MNHA_IKE_PROP {
description "mnha_link_encr_tunnel";
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy MNHA_IKE_POL {
description "mnha_link_encr_tunnel";
proposals MNHA_IKE_PROP;
pre-shared-key {
ascii-text "$ABC123";
}
}
gateway MNHA_IKE_GW {
ike-policy MNHA_IKE_POL;
version v2-only;
}
[edit]
user@host# show security ipsec
proposal MNHA_IPSEC_PROP {
description "mnha_link_encr_tunnel";
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy MNHA_IPSEC_POL {
description "mnha_link_encr_tunnel";
proposals MNHA_IPSEC_PROP;
}
vpn IPSEC_VPN_ICL {
ha-link-encryption;
ike {
gateway MNHA_IKE_GW;
ipsec-policy MNHA_IPSEC_POL;
}
}
[edit]
user@host# show security zones
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
ping;
ssh;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/4.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
ike;
ping;
ssh;
all;
}
protocols {
bgp;
bfd;
all;
}
}
interfaces {
ge-0/0/3.0;
}
}
security-zone halink {
host-inbound-traffic {
system-services {
ike;
ping;
high-availability;
ssh;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/2.0;
}
}
[edit]
user@host# show interfaces
ge-0/0/2 {
description ha_link;
unit 0 {
family inet {
address 10.22.0.2/24;
}
}
}
ge-0/0/3 {
description trust;
unit 0 {
family inet {
address 10.1.0.2/24;
}
}
}
ge-0/0/4 {
description untrust;
unit 0 {
family inet {
address 10.2.0.2/24;
}
}
}
If you are done configuring the device, enter commit from
configuration mode.
user@host# commit warning: High Availability Mode changed, please reboot the device to avoid undesirable behavior commit complete
Verification
Use the show commands to confirm that the configuration is working properly.
- Check MNHA Details
- Check Multinode High Availability Peer Node Status
- Check Multinode High Availability Service Redundancy Groups
- Verify IP Address Installation on Interfaces
- Verify Interchassis Link (ICL) Encryption Status
Check MNHA Details
Purpose
View and verify the details of the MNHA setup configured on your security device.
Action
From operational mode, run the following command:
SRX-01
user@host> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Grid-id: 0
Local-id: 1
Local-IP: 10.22.0.1
HA Peer Information:
Peer Id: 2 IP address: 10.22.0.2 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: UP
Configured BFD Detection Time: 3 * 200ms
Cold Sync Status: COMPLETE
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: SWITCHING
Status: ACTIVE
Activeness Priority: 200
Preemption: ENABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
SRX-02
user@host> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Grid-id: 0
Local-id: 2
Local-IP: 10.22.0.2
HA Peer Information:
Peer Id: 1 IP address: 10.22.0.1 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: UP
Configured BFD Detection Time: 3 * 200ms
Cold Sync Status: COMPLETE
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: SWITCHING
Status: BACKUP
Activeness Priority: 1
Preemption: DISABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Meaning
Verify these details from the command output:
-
HA link to peer (10.22.0.1 or 10.22.0.2 over ge-0/0/2.0) is established (
Conn State UP). -
The field
Encrypted: YESindicates that the traffic is protected. -
The field
Deployment Type: SWITCHINGindicates a default gateway (switching) mode configuration—that is, the network has switches connected at both ends (Layer 2 network). -
The field
Services Redundancy Group: 1showsStatus: ACTIVEorStatus: BACKUPto display current status of SRG.
Check Multinode High Availability Peer Node Status
Purpose
View and verify the peer node details.
Action
From operational mode, run the following command:
SRX-01
user@host> show chassis high-availability peer-info
HA Peer Information:
Peer-ID: 2 IP address: 10.22.0.2 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: UP
Cold Sync Status: COMPLETE
Internal Interface: st0.16000
Internal Local-IP: 180.100.1.1
Internal Peer-IP: 180.100.1.2
Internal Routing-instance: __juniper_private1__
Packet Statistics:
Receive Error : 0 Send Error : 0
Packet-type Sent Received
SRG Status Msg 3 5
SRG Status Ack 4 2
Attribute Msg 3 2
Attribute Ack 2 2
Pkt Req 0 0
Pkt Req Ack 0 0
SRX-02
user@host> show chassis high-availability peer-info
HA Peer Information:
Peer-ID: 1 IP address: 10.22.0.1 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: UP
Cold Sync Status: COMPLETE
Internal Interface: st0.16000
Internal Local-IP: 180.100.1.2
Internal Peer-IP: 180.100.1.1
Internal Routing-instance: __juniper_private1__
Packet Statistics:
Receive Error : 0 Send Error : 0
Packet-type Sent Received
SRG Status Msg 5 2
SRG Status Ack 2 4
Attribute Msg 3 2
Attribute Ack 2 2
Pkt Req 0 0
Pkt Req Ack 0 0
Meaning
Verify these details from the command output:
- The HA peer connection is established and healthy (
Conn State UP,Encrypted YES). - Synchronization appears successful (
Cold Sync Status COMPLETE). - No packet send/receive errors are reported, indicating clean HA control-plane communications.
Check Multinode High Availability Service Redundancy Groups
Purpose
Verify that the SRGs are configured and working correctly.
Action
From operational mode, run the following command:
SRX-01
user@host> show chassis high-availability services-redundancy-group 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: SWITCHING
Status: ACTIVE
Activeness Priority: 200
Preemption: ENABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
Virtual IP Info:
Index: 2
IP: 2001:db8:6701::7/64
IP2: 10.2.0.200/24
VMAC: 00:10:db:fe:01:02
Interface: ge-0/0/4.0
Status: INSTALLED
Index: 1
IP: 2001:db8:6700::3/64
IP2: 10.1.0.200/24
VMAC: 00:10:db:fe:01:01
Interface: ge-0/0/3.0
Status: INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 2001:db8:6700::3
Routing Instance: default
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
DST-IP: 10.1.0.200
Routing Instance: default
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
Interface Monitoring:
Status: UP
IF Name: ge-0/0/4 State: Up
IF Name: ge-0/0/3 State: Up
IP SRGID Table:
SRGID IP Prefix Routing Table
1 10.2.0.200/32 default
1 2001:db8:6701::7/128 default
1 10.1.0.200/32 default
1 2001:db8:6700::3/128 default
SRX-02
user@host> show chassis high-availability services-redundancy-group 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: SWITCHING
Status: BACKUP
Activeness Priority: 1
Preemption: DISABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Virtual IP Info:
Index: 2
IP: 2001:db8:6701::7/64
IP2: 10.2.0.200/24
VMAC: N/A
Interface: ge-0/0/4.0
Status: NOT INSTALLED
Index: 1
IP: 2001:db8:6700::3/64
IP2: 10.1.0.200/24
VMAC: 00:10:db:fe:01:01
Interface: ge-0/0/3.0
Status: NOT INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 2001:db8:6700::3
Routing Instance: default
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
DST-IP: 10.1.0.200
Routing Instance: default
Type: ICMP Probe
Status: NOT RUNNING
Result: N/A Reason: N/A
Interface Monitoring:
Status: UP
IF Name: ge-0/0/4 State: Up
IF Name: ge-0/0/3 State: Up
IP SRGID Table:
SRGID IP Prefix Routing Table
1 10.2.0.200/32 default
1 2001:db8:6701::7/128 default
1 10.1.0.200/32 default
1 2001:db8:6700::3/128 default
Meaning
Verify these details from the command output:
- Peer node details (deployment type, status, signal routes); peer is healthy and in ready backup state, indicating failover capability.
- Virtual IP information (IP and VMAC); VIPs are displayed as
INSTALLEDon the active node and monitored interfaces areUp. - VMAC (for example,
00:10:db:fe:01:02) associated with the virtual IP. - Backup node VIP status, where VIPs are showing
NOT INSTALLED. - Dual-stack support, with both IPv4 and IPv6 VIPs present.
- SRG status, where SRG 1 is active and in
READYcontrol-plane state with no failures.
Verify IP Address Installation on Interfaces
Purpose
Verify that the virtual IP addresses are installed on the interfaces.
Action
From operational mode, run the following command:
SRX-01
user@host> show interfaces terse | no-more
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
inet6
sp-0/0/0.16383 up up inet
ge-0/0/1 up up
ge-0/0/2 up up
ge-0/0/2.0 up up inet 10.22.0.1/24
ge-0/0/3 up up
ge-0/0/3.0 up up inet 10.1.0.1/24
10.1.0.200/24
inet6 2001:db8:6700::3/64
fe80::5604:1aff:fe00:4882/64
ge-0/0/4 up up
ge-0/0/4.0 up up inet 10.2.0.1/24
10.2.0.200/24
inet6 2001:db8:6701::7/64
fe80::5604:1aff:fe00:7541/64
...SRX-02
user@host> show interfaces terse | no-more
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
inet6
sp-0/0/0.16383 up up inet
ge-0/0/1 up up
ge-0/0/2 up up
ge-0/0/2.0 up up inet 10.22.0.2/24
ge-0/0/3 up up
ge-0/0/3.0 up up inet 10.1.0.2/24
ge-0/0/4 up up
ge-0/0/4.0 up up inet 10.2.0.2/24
dsc up up
...For brevity, the show command output is truncated to display only a few samples.
Meaning
The command output provides the following information:
- On the active node, the interface shows both dual-stack virtual IPs
10.1.0.200/16and22001:db8:6700::3/64are installed on interface ge-0/0/3.0 for VIP index 1 and10.2.0.200/16and2001:db8:6701::7/64are installed on interface ge-0/0/4.0 for VIP index 2. - On the backup node, only the local interface IP addresses are present, and the VIP is not installed.
This output ensures that only the active node handles traffic. During a failover, the VIP moves from the active node to the backup node, maintaining service continuity for both IPv4 and IPv6 traffic
Verify Interchassis Link (ICL) Encryption Status
Purpose
Verify the interchassis link (ICL) status.
Action
From operational mode, run the following command on SRX-01:
user@host> show security ipsec security-associations ha-link-encryption detail
ID: 495005 Virtual-system: root, VPN Name: IPSEC_VPN_ICL
Local Gateway: 10.22.0.1, Remote Gateway: 10.22.0.2
Traffic Selector Name: __IPSEC_VPN_ICL__ICL__2__0__multi_node__
Local Identity: ipv4(180.100.1.1-180.100.1.1)
Remote Identity: ipv4(180.100.1.2-180.100.1.2)
TS Type: traffic-selector
Version: IKEv2
Quantum Secured: No
Hardware Offloaded: No
PFS group: N/A, Packet Encapsulation: None, Dest port: 0
Passive mode tunneling: Disabled
DF-bit: clear, Copy-Outer-DSCP: Disabled, Bind-interface: st0.16000, Policy-name: MNHA_IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
HA Link Encryption Mode: Inter-Chassis-Link
Location: FPC -, PIC -
Anchorship: Thread -
Distribution-Profile: default-profile
Direction: inbound, SPI: 0x0008a5a8, AUX-SPI: 0
, VPN Monitoring: UP Mode: Always-Send Interval: 10secs Threshold: 10
Hard lifetime: Expires in 3392 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2774 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
Location: FPC 0, PIC 0
Anchorship: Thread 0
IKE SA Index: 16776197
Direction: outbound, SPI: 0x00065b1f, AUX-SPI: 0
, VPN Monitoring: UP Mode: Always-Send Interval: 10secs Threshold: 10
Hard lifetime: Expires in 3392 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2774 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
Location: FPC 0, PIC 0
Anchorship: Thread 0
IKE SA Index: 16776197
Meaning
The command output provides the following information:
-
The local gateway and remote gateway details.
-
The IPsec SA pair for each threads in PIC.
-
HA link encryption mode (as shown in the following line):
HA Link Encryption Mode: Inter-Chassis-Link -
Authentication and encryption algorithms used
The IP range (180.100.1.x) shown in the command output serves as the ICL IPsec traffic selector. The system dynamically assigns this IP range, and it is essential not to alter or modify it. Additionally, BFD (Bidirectional Forwarding Detection) will be automatically enabled for the broader 180.x.x.x IP range.