Example: Configure Multinode High Availability in a Layer 3 Network
SUMMARY Read this topic to understand how to configure the Multinode High Availability solution on SRX Series devices. The example covers configuration in active/backup mode when SRX Series devices are connected to routers on both sides.
Overview
In Multi-Node High Availability, participating SRX Series devices operate as independent nodes in a Layer 3 network. The nodes are connected to adjacent infrastructure belonging to different networks. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. Participating nodes backup each other to ensure a fast synchronized failover in case of system or hardware failure.
In Multinode High Availability, activeness is determined at the services redundancy group (SRG) level. The SRX Series device, on which the SRG1 is active, hosts the floating IP address and steers traffic towards it using the floating IP address. During a failover, the floating IP address moves from the old active node to the new active node and continues the communication client devices.
As of Junos OS Release 22.3R1, we support a two-node configuration in the Multinode High Availability solution.
Requirements
This example uses the following hardware and software components:
-
Two SRX Series devices or vSRX instances
-
Two Juniper Networks(R) MX960 Universal Routing Platform
-
Junos OS Release 22.3R1
Topology
Figure 1 shows the topology used in this example.
As shown in the topology, two SRX Series devices are connected to adjacent routers on trust and untrust side forming a BGP neighborship. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. The nodes communicate with each other using a routable IP address (floating IP address) over the network. Loopback interfaces are used to host the IP addresses on SRX Series and routers.
In general, you can use Aggregated Ethernet (AE) or a revenue Ethernet port on the SRX Series devices to setup an ICL connection. In this example, we've used GE ports for the ICL. We've also configured a routing instance for the ICL path to ensure maximum segmentation.
In a typical high availability deployment, you have multiple routers and switches on the northbound and southbound sides of the network. For this example, we are using two routers on both sides of SRX Series devices.
In this example, you'll establish high availability between the SRX Series devices and secure the tunnel traffic by enabling HA link encryption.
You'll perform the following tasks to build a Multinode High Availability setup:
- Configure a pair of SRX Series devices as local and peer nodes by assigning IDs.
- Configure services redundancy groups.
- Configure a loopback interface (lo0.0) to host the floating IP address.
- Configure IP probes for the activeness determination and enforcement
- Configure a signal route required for activeness enforcement and use it along with the route exists policy.
- Configure a VPN profile for the high availability (ICL) traffic using IKEv2.
- Configure BFD monitoring options
- Configure a routing policy and routing options
- Configure appropriate security policies to manage traffic in your network
-
Configure stateless firewall filtering and quality of service (QoS) as per your network requirements.
-
Configure interfaces and zones according to your network requirement. You must allow services such as IKE for link encryption and SSH for configuration synchronization as host-inbound system services on the security zone that is associated with the ICL.
You can configure the following options on SRG0 and SRG1:
-
SRG1: Active/backup signal route, deployment type, activeness priority, preemption, virtual IP address (for default gateway deployments), activeness probing and process packet on backup.
-
SRG1: BFD monitoring, IP monitoring, and interface monitoring options on SRG1.
-
SRG0: shutdown on failure and install on failure route options.
When you configure monitoring (BFD or IP or Interface) options under SRG1, we recommend not to configure the shutdown-on-failure option under SRG0.
For interchassis link (ICL), we recommend the following configuration settings:
- Use a loopback (lo0) interface using an aggregated Ethernet interface (ae0), or any revenue Ethernet interface to establish the ICL. Do not to use the dedicated HA ports (control and fabric ports) if available on your SRX Series device).
- Set MTU of 1514
- Allow the following services on the security zone associated with interfaces
used for ICL
-
IKE, high-availability, SSH
-
Protocols depending on the routing protocol you need.
-
BFD to monitor the neighboring routes.
-
A secure tunnel interface (st0) from st0.16000 to st0.16385 is reserved for Multinode High Availability. These interfaces are not user configurable interfaces. You can only use interfaces from st0.0 to st0.15999.
Configuration
Before You Begin
Install the Junos IKE package on your SRX Series. You require this step for ICL encryption.
user@host> request system software add optional://junos-ike.tgz Verified junos-ike signed by PackageProductionECP256_2022 method ECDSA256+SHA256 Rebuilding schema and Activating configuration... mgd: commit complete Restarting MGD ... WARNING: cli has been replaced by an updated version: CLI release 20220208.163814_builder.r1239105 built by builder on 2022-02-08 17:07:55 UTC Restart cli using the new version ? [yes,no] (yes)
CLI Quick Configuration
To quickly
configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the
[edit] hierarchy level, and then enter
commit from configuration mode.
On SRX-1 Device
set chassis high-availability local-id 1 set chassis high-availability local-id local-ip 10.22.0.1 set chassis high-availability peer-id 2 peer-ip 10.22.0.2 set chassis high-availability peer-id 2 interface ge-0/0/2.0 set chassis high-availability peer-id 2 vpn-profile IPSEC_VPN_ICL set chassis high-availability peer-id 2 liveness-detection minimum-interval 400 set chassis high-availability peer-id 2 liveness-detection multiplier 5 set chassis high-availability services-redundancy-group 0 peer-id 2 set chassis high-availability services-redundancy-group 1 deployment-type routing set chassis high-availability services-redundancy-group 1 peer-id 2 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 10.111.0.1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 10.11.0.1 set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 src-ip 10.4.0.1 set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 session-type singlehop set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 interface ge-0/0/4.0 set chassis high-availability services-redundancy-group 1 active-signal-route 10.39.1.1 set chassis high-availability services-redundancy-group 1 backup-signal-route 10.39.1.2 set chassis high-availability services-redundancy-group 1 preemption set chassis high-availability services-redundancy-group 1 activeness-priority 200 set interfaces ge-0/0/3 description "trust" unit 0 family inet address 10.2.0.2/16 set interfaces ge-0/0/4 description "untrust" unit 0 family inet address 10.4.0.1/16 set interfaces ge-0/0/2 description "ha_link" unit 0 family inet address 10.22.0.1/24 set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.1/32 set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.2/32 set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.3/32 set routing-options autonomous-system 100 set routing-options static route 10.1.0.0/16 next-hop 10.2.0.1 set routing-options static route 10.6.0.0/16 next-hop 10.4.0.2 set routing-options static route 10.111.0.1 next-hop 10.2.0.1 set routing-options static route 10.111.0.2 next-hop 10.4.0.2 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic protocols bfd set security zones security-zone untrust host-inbound-traffic protocols bgp set security zones security-zone untrust interfaces ge-0/0/4 set security zones security-zone untrust interfaces lo0.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/3 set security zones security-zone halink host-inbound-traffic system-services ike set security zones security-zone halink host-inbound-traffic system-services ping set security zones security-zone halink host-inbound-traffic system-services high-availability set security zones security-zone halink host-inbound-traffic system-services ssh set security zones security-zone halink host-inbound-traffic protocols bfd set security zones security-zone halink host-inbound-traffic protocols bgp set security zones security-zone halink interfaces ge-0/0/2 set security policies default-policy permit-all set security pki ca-profile Root-CA ca-identity Root-CA set security pki ca-profile Root-CA enrollment url http://10.157.69.204/certsrv/mscep/mscep.dll set security pki ca-profile Root-CA revocation-check disable set system syslog file vpn_syslog any info set system syslog file vpn_syslog match "iked|pkid|kmd|ikemd|authd|jsrpd|chassisd|bfd" set system services netconf ssh set security ike proposal MNHA_IKE_PROP description mnha_link_encr_tunnel set security ike proposal MNHA_IKE_PROP authentication-method pre-shared-keys set security ike proposal MNHA_IKE_PROP dh-group group14 set security ike proposal MNHA_IKE_PROP authentication-algorithm sha-256 set security ike proposal MNHA_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal MNHA_IKE_PROP lifetime-seconds 3600 set security ike policy MNHA_IKE_POL description mnha_link_encr_tunnel set security ike policy MNHA_IKE_POL proposals MNHA_IKE_PROP set security ike policy MNHA_IKE_POL pre-shared-key ascii-text "$ABC123" set security ike gateway MNHA_IKE_GW ike-policy MNHA_IKE_POL set security ike gateway MNHA_IKE_GW version v2-only set security ipsec proposal MNHA_IPSEC_PROP description mnha_link_encr_tunnel set security ipsec proposal MNHA_IPSEC_PROP protocol esp set security ipsec proposal MNHA_IPSEC_PROP encryption-algorithm aes-256-gcm set security ipsec proposal MNHA_IPSEC_PROP lifetime-seconds 3600 set security ipsec policy MNHA_IPSEC_POL description mnha_link_encr_tunnel set security ipsec policy MNHA_IPSEC_POL proposals MNHA_IPSEC_PROP set security ipsec vpn IPSEC_VPN_ICL ha-link-encryption set security ipsec vpn IPSEC_VPN_ICL ike gateway MNHA_IKE_GW set security ipsec vpn IPSEC_VPN_ICL ike ipsec-policy MNHA_IPSEC_POL set policy-options condition active_route_exists if-route-exists address-family inet 10.39.1.1 table inet.0 set policy-options condition backup_route_exists if-route-exists address-family inet 10.39.1.2 table inet.0 set policy-options policy-statement mnha-route-policy term 1 from protocol static set policy-options policy-statement mnha-route-policy term 1 from protocol direct set policy-options policy-statement mnha-route-policy term 1 from condition active_route_exists set policy-options policy-statement mnha-route-policy term 1 then accept metric 10 set policy-options policy-statement mnha-route-policy term 2 from protocol static set policy-options policy-statement mnha-route-policy term 2 from protocol direct set policy-options policy-statement mnha-route-policy term 2 from condition backup_route_exists set policy-options policy-statement mnha-route-policy term 2 then accept metric 20 set policy-options policy-statement mnha-route-policy term 3 from protocol static set policy-options policy-statement mnha-route-policy term 3 from protocol direct set policy-options policy-statement mnha-route-policy term 3 then accept metric 30 set policy-options policy-statement mnha-route-policy term default then reject set protocols bgp group trust type internal set protocols bgp group trust local-address 10.2.0.2 set protocols bgp group trust export mnha-route-policy set protocols bgp group trust neighbor 10.2.0.1 set protocols bgp group trust bfd-liveness-detection minimum-interval 500 set protocols bgp group trust bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group trust bfd-liveness-detection multiplier 3 set protocols bgp group trust local-as 100 set protocols bgp group untrust type internal set protocols bgp group untrust local-address 10.4.0.1 set protocols bgp group untrust export mnha-route-policy set protocols bgp group untrust neighbor 10.4.0.2 set protocols bgp group untrust bfd-liveness-detection minimum-interval 500 set protocols bgp group untrust bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group untrust bfd-liveness-detection multiplier 3 set protocols bgp group untrust local-as 100
On SRX-2 Device
set chassis high-availability local-id 2 set chassis high-availability local-id local-ip 10.22.0.2 set chassis high-availability peer-id 1 peer-ip 10.22.0.1 set chassis high-availability peer-id 1 interface ge-0/0/2.0 set chassis high-availability peer-id 1 vpn-profile IPSEC_VPN_ICL set chassis high-availability peer-id 1 liveness-detection minimum-interval 400 set chassis high-availability peer-id 1 liveness-detection multiplier 5 set chassis high-availability services-redundancy-group 0 peer-id 1 set chassis high-availability services-redundancy-group 1 deployment-type routing set chassis high-availability services-redundancy-group 1 peer-id 1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 10.111.0.1 set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 10.11.0.1 set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.5.0.2 src-ip 10.5.0.1 set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.5.0.2 session-type singlehop set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.5.0.2 interface ge-0/0/4.0 set chassis high-availability services-redundancy-group 1 active-signal-route 10.39.1.1 set chassis high-availability services-redundancy-group 1 backup-signal-route 10.39.1.2 set chassis high-availability services-redundancy-group 1 activeness-priority 1 set security ike proposal MNHA_IKE_PROP description mnha_link_encr_tunnel set security ike proposal MNHA_IKE_PROP authentication-method pre-shared-keys set security ike proposal MNHA_IKE_PROP dh-group group14 set security ike proposal MNHA_IKE_PROP authentication-algorithm sha-256 set security ike proposal MNHA_IKE_PROP encryption-algorithm aes-256-cbc set security ike proposal MNHA_IKE_PROP lifetime-seconds 3600 set security ike policy MNHA_IKE_POL description mnha_link_encr_tunnel set security ike policy MNHA_IKE_POL proposals MNHA_IKE_PROP set security ike policy MNHA_IKE_POL pre-shared-key ascii-text "$ABC123" set security ike gateway MNHA_IKE_GW ike-policy MNHA_IKE_POL set security ike gateway MNHA_IKE_GW version v2-only set security ipsec proposal MNHA_IPSEC_PROP description mnha_link_encr_tunnel set security ipsec proposal MNHA_IPSEC_PROP protocol esp set security ipsec proposal MNHA_IPSEC_PROP encryption-algorithm aes-256-gcm set security ipsec proposal MNHA_IPSEC_PROP lifetime-seconds 3600 set security ipsec policy MNHA_IPSEC_POL description mnha_link_encr_tunnel set security ipsec policy MNHA_IPSEC_POL proposals MNHA_IPSEC_PROP set security ipsec vpn IPSEC_VPN_ICL ha-link-encryption set security ipsec vpn IPSEC_VPN_ICL ike gateway MNHA_IKE_GW set security ipsec vpn IPSEC_VPN_ICL ike ipsec-policy MNHA_IPSEC_POL set interfaces ge-0/0/3 description "trust" unit 0 family inet address 10.3.0.2/16 set interfaces ge-0/0/4 description "untrust" unit 0 family inet address 10.5.0.1/16 set interfaces ge-0/0/2 description "ha_link" unit 0 family inet address 10.22.0.2/24 set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.1/32 set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.2/32 set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.3/32 set routing-options autonomous-system 100 set routing-options static route 10.1.0.0/16 next-hop 10.3.0.1 set routing-options static route 10.6.0.0/16 next-hop 10.5.0.2 set routing-options static route 10.111.0.1 next-hop 10.3.0.1 set routing-options static route 10.111.0.2 next-hop 10.5.0.2 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic protocols bfd set security zones security-zone untrust host-inbound-traffic protocols bgp set security zones security-zone untrust interfaces ge-0/0/4 set security zones security-zone untrust interfaces lo0.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/3 set security zones security-zone halink host-inbound-traffic system-services ike set security zones security-zone halink host-inbound-traffic system-services ping set security zones security-zone halink host-inbound-traffic system-services high-availability set security zones security-zone halink host-inbound-traffic system-services ssh set security zones security-zone halink host-inbound-traffic protocols bfd set security zones security-zone halink host-inbound-traffic protocols bgp set security zones security-zone halink interfaces ge-0/0/2 set security policies default-policy permit-all set security pki ca-profile Root-CA ca-identity Root-CA set security pki ca-profile Root-CA enrollment url http://10.157.69.204/certsrv/mscep/mscep.dll set security pki ca-profile Root-CA revocation-check disable set system syslog file vpn_syslog any info set system syslog file vpn_syslog match "iked|pkid|kmd|ikemd|authd|jsrpd|chassisd|bfd" set system services netconf ssh set policy-options route-filter-list loopback 10.11.0.0/24 orlonger set policy-options route-filter-list ipsec 10.6.0.0/16 orlonger set policy-options condition active_route_exists if-route-exists address-family inet 10.39.1.1 table inet.0 set policy-options condition backup_route_exists if-route-exists address-family inet 10.39.1.2 table inet.0 set policy-options policy-statement mnha-route-policy term 1 from protocol static set policy-options policy-statement mnha-route-policy term 1 from protocol direct set policy-options policy-statement mnha-route-policy term 1 from condition active_route_exists set policy-options policy-statement mnha-route-policy term 1 then accept metric 10 set policy-options policy-statement mnha-route-policy term 2 from protocol static set policy-options policy-statement mnha-route-policy term 2 from protocol direct set policy-options policy-statement mnha-route-policy term 2 from condition backup_route_exists set policy-options policy-statement mnha-route-policy term 2 then accept metric 20 set policy-options policy-statement mnha-route-policy term 3 from protocol static set policy-options policy-statement mnha-route-policy term 3 from protocol direct set policy-options policy-statement mnha-route-policy term 3 then accept metric 30 set policy-options policy-statement mnha-route-policy term default then reject set protocols bgp group trust type internal set protocols bgp group trust local-address 10.3.0.2 set protocols bgp group trust export mnha-route-policy set protocols bgp group trust neighbor 10.3.0.1 set protocols bgp group trust bfd-liveness-detection minimum-interval 500 set protocols bgp group trust bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group trust bfd-liveness-detection multiplier 3 set protocols bgp group trust local-as 100 set protocols bgp group untrust type internal set protocols bgp group untrust local-address 10.5.0.1 set protocols bgp group untrust export mnha-route-policy set protocols bgp group untrust neighbor 10.5.0.2 set protocols bgp group untrust bfd-liveness-detection minimum-interval 500 set protocols bgp group untrust bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group untrust bfd-liveness-detection multiplier 3 set protocols bgp group untrust local-as 100
The following sections show configuration snippets on the routers required for setting up Multinode High Availability setup in the network.
Router (VMX-1)
set interfaces ge-0/0/2 description lan unit 0 family inet address 10.1.0.1/16 set interfaces ge-0/0/0 description ha unit 0 family inet address 10.2.0.1/16 set interfaces ge-0/0/1 description ha unit 0 family inet address 10.3.0.1/16 set interfaces lo0 description "loopback" unit 0 family inet address 10.111.0.1 primary preferred set routing-options autonomous-system 100 set protocols bgp group mnha_r0 type internal set protocols bgp group mnha_r0 local-address 10.2.0.1 set protocols bgp group mnha_r0 neighbor 10.2.0.2 set protocols bgp group mnha_r0 bfd-liveness-detection minimum-interval 500 set protocols bgp group mnha_r0 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group mnha_r0 bfd-liveness-detection multiplier 3 set protocols bgp group mnha_r0 local-as 100 set protocols bgp group mnha_r0_b type internal set protocols bgp group mnha_r0_b local-address 10.3.0.1 set protocols bgp group mnha_r0_b neighbor 10.3.0.2 set protocols bgp group mnha_r0_b bfd-liveness-detection minimum-interval 500 set protocols bgp group mnha_r0_b bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group mnha_r0_b bfd-liveness-detection multiplier 3 set protocols bgp group mnha_r0_b local-as 100
Router (VMX-2)
set interfaces ge-0/0/0 description HA unit 0 family inet address 10.4.0.2/16 set interfaces ge-0/0/1 description HA unit 0 family inet address 10.5.0.2/16 set interfaces ge-0/0/2 description trust unit 0 family inet address 10.6.0.1/16 set interfaces lo0 description "loopback" unit 0 family inet address 10.111.0.2 primary preferred set routing-options autonomous-system 100 set protocols bgp group mnha_r0 type internal set protocols bgp group mnha_r0 local-address 10.4.0.2 set protocols bgp group mnha_r0 neighbor 10.4.0.1 set protocols bgp group mnha_r0 bfd-liveness-detection minimum-interval 500 set protocols bgp group mnha_r0 bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group mnha_r0 bfd-liveness-detection multiplier 3 set protocols bgp group mnha_r0 local-as 100 set protocols bgp group mnha_r0_b type internal set protocols bgp group mnha_r0_b local-address 10.5.0.2 set protocols bgp group mnha_r0_b neighbor 10.5.0.1 set protocols bgp group mnha_r0_b bfd-liveness-detection minimum-interval 500 set protocols bgp group mnha_r0_b bfd-liveness-detection minimum-receive-interval 500 set protocols bgp group mnha_r0_b bfd-liveness-detection multiplier 3 set protocols bgp group mnha_r0_b local-as 100
Configuration
Step-by-Step Procedure
We're showing the configuration of SRX-01 in the step-by-step procedure.
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
-
Configure Interfaces.
[edit] user@host# set interfaces ge-0/0/3 description "trust" unit 0 family inet address 10.2.0.2/16 user@host# set interfaces ge-0/0/4 description "untrust" unit 0 family inet address 10.4.0.1/16 user@host# set interfaces ge-0/0/2 description "ha_link" unit 0 family inet address 10.22.0.1/24
We're using ge-0/0/3 and ge-0/0/4 interfaces to connect to the upstream and downstream routers and using ge-0/0/2 interface to setup the ICL.
-
Configure the loopback interfaces.
[edit] user@host# set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.1/32 user@host# set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.2/32 user@host# set interfaces lo0 description "untrust" unit 0 family inet address 10.11.0.3/32
The IP address (10.11.0.1) assigned to the loopback interface will be used as the floating IP address.
Using the loopback interface ensures that at any given point, traffic from the adjacent routers will be steered toward the floating IP address (that is, toward the active node).
-
Configure security zones, assign interfaces to the zones, and specify the allowed system services for the security zones.
[edit] user@host# set security zones security-zone untrust host-inbound-traffic system-services ike user@host# set security zones security-zone untrust host-inbound-traffic system-services ping user@host# set security zones security-zone untrust host-inbound-traffic protocols bfd user@host# set security zones security-zone untrust host-inbound-traffic protocols bgp user@host# set security zones security-zone untrust interfaces ge-0/0/4 user@host# set security zones security-zone untrust interfaces lo0.0 user@host# set security zones security-zone trust host-inbound-traffic system-services all user@host# set security zones security-zone trust host-inbound-traffic protocols all user@host# set security zones security-zone trust interfaces ge-0/0/3 user@host# set security zones security-zone halink host-inbound-traffic system-services ike user@host# set security zones security-zone halink host-inbound-traffic system-services ping user@host# set security zones security-zone halink host-inbound-traffic system-services high-availability user@host# set security zones security-zone halink host-inbound-traffic system-services ssh user@host# set security zones security-zone halink host-inbound-traffic protocols bfd user@host# set security zones security-zone halink host-inbound-traffic protocols bgp user@host# set security zones security-zone halink interfaces ge-0/0/2
Assign the interfaces ge-0/0/3 and ge-0/0/4 the trust and untrust zones respectively. Assign the lo0.0 interface to the untrust zone to connect over the public IP network. Assign the interface ge-0/0/2 to the halink zone. You use this zone to set up the ICL.
-
Configure routing options.
[edit] user@host# set routing-options autonomous-system 100 user@host# set routing-options static route 10.1.0.0/16 next-hop 10.2.0.1 user@host# set routing-options static route 10.6.0.0/16 next-hop 10.4.0.2 user@host# set routing-options static route 10.111.0.1 next-hop 10.2.0.1 user@host# set routing-options static route 10.111.0.2 next-hop 10.4.0.2
- Configure both local node and peer node details such as node ID, lP
addresses of local node and peer node, and the interface for the peer
node.
[edit] user@host# set chassis high-availability local-id 1 user@host# set chassis high-availability local-id local-ip 10.22.0.1 user@host# set chassis high-availability peer-id 2 peer-ip 10.22.0.2 user@host# set chassis high-availability peer-id 2 interface ge-0/0/2.0 user@host# set chassis high-availability peer-id 2 vpn-profile IPSEC_VPN_ICL
You'll use the ge-0/0/2 interface for communicating with the peer node using the ICL.
-
Attach the IPsec VPN profile IPSEC_VPN_ICL to the peer node.
[edit] user@host# set chassis high-availability peer-id 2 vpn-profile IPSEC_VPN_ICL
You'll need this configuration to establish a secure ICL link between the nodes.
-
Configure Bidirectional Forwarding Detection (BFD) protocol options for the peer node.
[edit] user@host# set chassis high-availability peer-id 2 liveness-detection minimum-interval 400 user@host# set chassis high-availability peer-id 2 liveness-detection multiplier 5
-
Associate the peer node ID 2 to the services redundancy group 0 (SRG0).
[edit] user@host# set chassis high-availability services-redundancy-group 0 peer-id 2
-
Configure the services redundancy group 1 (SRG1).
[edit] user@host# set chassis high-availability services-redundancy-group 0 peer-id 2 user@host# set chassis high-availability services-redundancy-group 1 deployment-type routing user@host# set chassis high-availability services-redundancy-group 1 peer-id 2
.
-
Setup activeness determination parameters for SRG1.
[edit] user@host# set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip 10.111.0.1 user@host# set chassis high-availability services-redundancy-group 1 activeness-probe dest-ip src-ip 10.11.0.1
Use the floating IP address as source IP address (10.11.0.1) and IP addresses of the upstream routers as the destination IP address (10.111.0.1) for the activeness determination probe.
You can configure up to 64 IP addresses for IP monitoring and activeness probing. The total 64 IP addresses is sum of the number of IPv4 and IPv6 addresses)
-
Configure BFD monitoring parameters for the SRG1 to detect failures in network.
[edit] user@host# set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 src-ip 10.4.0.1 user@host# set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 session-type singlehop user@host# set chassis high-availability services-redundancy-group 1 monitor bfd-liveliness 10.4.0.2 interface ge-0/0/4.0
-
Configure an active signal route required for activeness enforcement.
[edit] user@host# set chassis high-availability services-redundancy-group 1 active-signal-route 10.39.1.1 user@host# set chassis high-availability services-redundancy-group 1 backup-signal-route 10.39.1.2 user@host# set chassis high-availability services-redundancy-group 1 preemption user@host# set chassis high-availability services-redundancy-group 1 activeness-priority 200
The active signal route IP address you assign is used for route preference advertisement. You must specify the active signal route along with the
route-existspolicy in thepolicy-optionsstatement. -
Configure the security policy.
[edit] user@host# set security policies default-policy permit-all
Ensure you have configured security policies as per your network requirements.
-
Configure CA certificates as per your requirements.
[edit] user@host# set security pki ca-profile Root-CA ca-identity Root-CA user@host# set security pki ca-profile Root-CA enrollment url http://10.157.69.204/certsrv/mscep/mscep.dll user@host# set security pki ca-profile Root-CA revocation-check disable
-
Define Internet Key Exchange (IKE) configuration for Multinode High Availability. An IKE configuration defines the algorithms and keys used to establish a secure connection.
[edit] user@host# set security ike proposal MNHA_IKE_PROP description mnha_link_encr_tunnel user@host# set security ike proposal MNHA_IKE_PROP authentication-method pre-shared-keys user@host# set security ike proposal MNHA_IKE_PROP dh-group group14 user@host# set security ike proposal MNHA_IKE_PROP authentication-algorithm sha-256 user@host# set security ike proposal MNHA_IKE_PROP encryption-algorithm aes-256-cbc user@host# set security ike proposal MNHA_IKE_PROP lifetime-seconds 3600 user@host# set security ike policy MNHA_IKE_POL description mnha_link_encr_tunnel user@host# set security ike policy MNHA_IKE_POL proposals MNHA_IKE_PROP user@host# set security ike policy MNHA_IKE_POL pre-shared-key ascii-text "$ABC123" user@host# set security ike gateway MNHA_IKE_GW ike-policy MNHA_IKE_POL user@host# set security ike gateway MNHA_IKE_GW version v2-only
For the Multinode High availability feature, you must configure the IKE version as
v2-only -
Specify the IPsec proposal protocol and encryption algorithm. Specify IPsec options to create a IPsec tunnel between two participant devices to secure VPN communication.
[edit] user@host# set security ipsec proposal MNHA_IPSEC_PROP description mnha_link_encr_tunnel user@host# set security ipsec proposal MNHA_IPSEC_PROP protocol esp user@host# set security ipsec proposal MNHA_IPSEC_PROP encryption-algorithm aes-256-gcm user@host# set security ipsec proposal MNHA_IPSEC_PROP lifetime-seconds 3600 user@host# set security ipsec policy MNHA_IPSEC_POL description mnha_link_encr_tunnel user@host# set security ipsec policy MNHA_IPSEC_POL proposals MNHA_IPSEC_PROP user@host# set security ipsec vpn IPSEC_VPN_ICL ha-link-encryption user@host# set security ipsec vpn IPSEC_VPN_ICL ike gateway MNHA_IKE_GW user@host# set security ipsec vpn IPSEC_VPN_ICL ike ipsec-policy MNHA_IPSEC_POL
ha-link-encryptionoption encrypts the ICL to secure high availability traffic flow between the nodes.The same VPN name IPSEC_VPN_ICL must be mentioned for vpn_profile in chassis high availability configuration.
-
Configure policy options.
[edit] user@host# set policy-options condition active_route_exists if-route-exists address-family inet 10.39.1.1 table inet.0 user@host# set policy-options condition backup_route_exists if-route-exists address-family inet 10.39.1.2 table inet.0 user@host# set policy-options policy-statement mnha-route-policy term 1 from protocol static user@host# set policy-options policy-statement mnha-route-policy term 1 from protocol direct user@host# set policy-options policy-statement mnha-route-policy term 1 from condition active_route_exists user@host# set policy-options policy-statement mnha-route-policy term 1 then accept metric 10 user@host# set policy-options policy-statement mnha-route-policy term 2 from protocol static user@host# set policy-options policy-statement mnha-route-policy term 2 from protocol directuser@host# set policy-options policy-statement mnha-route-policy term 2 from condition backup_route_exists user@host# set policy-options policy-statement mnha-route-policy term 2 then accept metric 20 user@host# set policy-options policy-statement mnha-route-policy term 3 from protocol static user@host# set policy-options policy-statement mnha-route-policy term 3 from protocol direct user@host# set policy-options policy-statement mnha-route-policy term 3 then accept metric 30 user@host# set policy-options policy-statement mnha-route-policy term default then reject
Configure the active signal route 10.39.1.1 with the route match condition (
if-route-exists). The Multinode High Availability adds this route to the routing table when the node moves to the active role. The node also starts advertising the higher preference route. Configure the back up signal route (10.39.1.2) to advertise the backup node with a medium priority. In case of any failures, the high availability link goes down and the current active node releases it's primary role and removes the active-signal-route. Now the backup node detects the condition through it’s probes and transitions to the active role. The route preference is swapped to drive all the traffic to the new active node -
Configure BFD peering sessions options and specify liveness detection timers.
[edit] user@host# set protocols bgp group trust type internal user@host# set protocols bgp group trust local-address 10.2.0.2 user@host# set protocols bgp group trust export mnha-route-policy user@host# set protocols bgp group trust neighbor 10.2.0.1 user@host# set protocols bgp group trust bfd-liveness-detection minimum-interval 500 user@host# set protocols bgp group trust bfd-liveness-detection minimum-receive-interval 500 user@host# set protocols bgp group trust bfd-liveness-detection multiplier 3 user@host# set protocols bgp group trust local-as 100 user@host# set protocols bgp group untrust type internal user@host# set protocols bgp group untrust local-address 10.4.0.1 user@host# set protocols bgp group untrust export mnha-route-policy user@host# set protocols bgp group untrust neighbor 10.4.0.2 user@host# set protocols bgp group untrust bfd-liveness-detection minimum-interval 500 user@host# set protocols bgp group untrust bfd-liveness-detection minimum-receive-interval 500 user@host# set protocols bgp group untrust bfd-liveness-detection multiplier 3 user@host# set protocols bgp group untrust local-as
Configuration Option for Software Upgrades (Optional)
In Multinode High Availability, during software upgrades, you can divert the traffic by changing the route. Use the following steps to add install route on failure configuration. Here, traffic can still go through the node and interface remains up.
Check Software Upgrade in Multinode High Availability for details.
-
Create a dedicated custom virtual router for the route used for diverting traffic during the upgrade.
user@host# set routing-instances MNHA-signal-routes instance-type virtual-router
- Configure install route on failure statement for the SRG0.
user@host# set chassis high-availability services-redundancy-group 0 install-on-failure-route 10.39.1.3 routing-instance MNHA-signal-routes user@host# set chassis high-availability services-redundancy-group 1 active-signal-route 10.39.1.1 routing-instance MNHA-signal-routes user@host# set chassis high-availability services-redundancy-group 1 backup-signal-route 10.39.1.2 routing-instance MNHA-signal-routes
The routing table installs the route mentioned in the statement when the node fails.
- Create a matching routing policy which refers the route as condition
with the
route-existsattribute.Example: Following configuration snippets show that you have configured the route with IP address 10.39.1.3 for SRG0 as install on failure route. The routing policy statement includes the route 10.39.1.3 as the
if-route-existscondition and the policy statement refers the condition as one of the matching term.user@host# set policy-options condition active_route_exists if-route-exists address-family inet 10.39.1.1/32 user@host# set policy-options condition active_route_exists if-route-exists address-family inet table MNHA-signal-routes.inet.0 user@host# set policy-options condition backup_route_exists if-route-exists address-family inet 10.39.1.2/32 user@host# set policy-options condition backup_route_exists if-route-exists address-family inet table MNHA-signal-routes.inet.0 user@host# set policy-options condition failure_route_exists if-route-exists address-family inet 10.39.1.3/32 user@host# set policy-options condition failure_route_exists if-route-exists address-family inet table MNHA-signal-routes.inet.0
user@host# set policy-options policy-statement mnha-route-policy term 4 from protocol static user@host# set policy-options policy-statement mnha-route-policy term 4 from protocol direct user@host# set policy-options policy-statement mnha-route-policy term 4 from condition failure_route_exists user@host# set policy-options policy-statement mnha-route-policy term 4 then metric 100 user@host# set policy-options policy-statement mnha-route-policy term 4 then accept
Results (SRX-1)
From configuration mode, confirm your configuration by entering the following commands.
If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show chassis high-availability
local-id 1 local-ip 10.22.0.1;
peer-id 2 {
peer-ip 10.22.0.2;
interface ge-0/0/2.0;
vpn-profile IPSEC_VPN_ICL;
liveness-detection {
minimum-interval 400;
multiplier 5;
}
}
services-redundancy-group 0 {
peer-id {
2;
}
}
services-redundancy-group 1 {
deployment-type routing;
peer-id {
2;
}
activeness-probe {
dest-ip {
10.111.0.1;
src-ip 10.11.0.1;
}
}
monitor {
bfd-liveliness 10.4.0.2 {
src-ip 10.4.0.1;
session-type singlehop;
interface ge-0/0/4.0;
}
}
active-signal-route {
10.39.1.1;
}
backup-signal-route {
10.39.1.2;
}
preemption;
activeness-priority 200;
}
[edit]
user@host# show security ike
proposal MNHA_IKE_PROP {
description mnha_link_encr_tunnel;
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy MNHA_IKE_POL {
description mnha_link_encr_tunnel;
proposals MNHA_IKE_PROP ;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway MNHA_IKE_GW {
ike-policy MNHA_IKE_POL ;
version v2-only;
}
[edit]
user@host# show security ipsec
proposal MNHA_IPSEC_PROP {
description mnha_link_encr_tunnel;
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy MNHA_IPSEC_POL {
description mnha_link_encr_tunnel;
proposals MNHA_IPSEC_PROP;
}
vpn IPSEC_VPN_ICL {
ha-link-encryption;
ike {
gateway MNHA_IKE_GW;
ipsec-policy MNHA_IPSEC_POL;
}
}
[edit]
user@host# show policy-options
policy-statement mnha-route-policy {
term 1 {
from {
protocol [ static direct ];
condition active_route_exists;
}
then {
metric 10;
accept;
}
}
term 2 {
from {
protocol [ static direct ];
condition backup_route_exists;
}
then {
metric 20;
accept;
}
}
term 3 {
from protocol [ static direct ];
then {
metric 30;
accept;
}
}
term default {
then reject;
}
}
condition active_route_exists {
if-route-exists {
address-family {
inet {
10.39.1.1/32;
table inet.0;
}
}
}
}
condition backup_route_exists {
if-route-exists {
address-family {
inet {
10.39.1.2/32;
table inet.0;
}
}
}
}
[edit]
user@host# show routing-options
autonomous-system 100;
static {
route 10.1.0.0/16 next-hop 10.2.0.1;
route 10.6.0.0/16 next-hop 10.4.0.2;
route 10.111.0.1/32 next-hop 10.2.0.1;
route 10.111.0.2/32 next-hop 10.4.0.2;
}
[edit]
user@host# show security zones security-zone
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
ping;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/4.0;
lo0.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/3.0;
}
}
security-zone halink {
host-inbound-traffic {
system-services {
ike;
ping;
high-availability;
ssh;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/2.0;
}
}
[edit]
user@host# show interfaces
ge-0/0/2 {
description ha_link;
unit 0 {
family inet {
address 10.22.0.1/24;
}
}
}
ge-0/0/3 {
description trust;
unit 0 {
family inet {
address 10.2.0.2/16;
}
}
}
ge-0/0/4 {
description untrust;
unit 0 {
family inet {
address 10.4.0.1/16;
}
}
}
lo0 {
description untrust;
unit 0 {
family inet {
address 10.11.0.1/32;
address 10.11.0.2/32;
address 10.11.0.3/32;
}
}
}
If you are done configuring the device, enter commit from
configuration mode.
Results (SRX-2)
From configuration mode, confirm your configuration by entering the following commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show chassis high-availability
local-id 2 local-ip 10.22.0.2;
peer-id 1 {
peer-ip 10.22.0.1;
interface ge-0/0/2.0;
vpn-profile IPSEC_VPN_ICL;
liveness-detection {
minimum-interval 400;
multiplier 5;
}
}
services-redundancy-group 0 {
peer-id {
1;
}
}
services-redundancy-group 1 {
deployment-type routing;
peer-id {
1;
}
activeness-probe {
dest-ip {
10.111.0.1;
src-ip 10.11.0.1;
}
}
monitor {
bfd-liveliness 10.5.0.2 {
src-ip 10.5.0.1;
session-type singlehop;
interface ge-0/0/4.0;
}
}
active-signal-route {
10.39.1.1;
}
backup-signal-route {
10.39.1.2;
}
activeness-priority 1;
}
[edit]
user@host# show security ike
proposal MNHA_IKE_PROP {
description mnha_link_encr_tunnel;
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy MNHA_IKE_POL {
description mnha_link_encr_tunnel;
proposals MNHA_IKE_PROP ;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway MNHA_IKE_GW {
ike-policy MNHA_IKE_POL ;
version v2-only;
}
[edit]
user@host# show security ipsec
proposal MNHA_IPSEC_PROP {
description mnha_link_encr_tunnel;
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy MNHA_IPSEC_POL {
description mnha_link_encr_tunnel;
proposals MNHA_IPSEC_PROP;
}
vpn IPSEC_VPN_ICL {
ha-link-encryption;
ike {
gateway MNHA_IKE_GW;
ipsec-policy MNHA_IPSEC_POL;
}
}
[edit]
user@host# show policy-options
route-filter-list loopback {
10.11.0.0/24 orlonger;
}
route-filter-list ipsec {
10.6.0.0/16 orlonger;
}
policy-statement mnha-route-policy {
term 1 {
from {
protocol [ static direct ];
condition active_route_exists;
}
then {
metric 10;
accept;
}
}
term 2 {
from {
protocol [ static direct ];
condition backup_route_exists;
}
then {
metric 20;
accept;
}
}
term 3 {
from protocol [ static direct ];
then {
metric 30;
accept;
}
}
term default {
then reject;
}
}
condition active_route_exists {
if-route-exists {
address-family {
inet {
10.39.1.1/32;
table inet.0;
}
}
}
}
condition backup_route_exists {
if-route-exists {
address-family {
inet {
10.39.1.2/32;
table inet.0;
}
}
}
}
[edit]
user@host# show routing-options
autonomous-system 100;
static {
route 10.1.0.0/16 next-hop 10.3.0.1;
route 10.6.0.0/16 next-hop 10.5.0.2;
route 10.111.0.1/32 next-hop 10.3.0.1;
route 10.111.0.2/32 next-hop 10.5.0.2;
}
[edit]
user@host# show security zones
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
ping;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/4.0;
lo0.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/3.0;
}
}
security-zone halink {
host-inbound-traffic {
system-services {
ike;
ping;
high-availability;
ssh;
}
protocols {
bfd;
bgp;
}
}
interfaces {
ge-0/0/2.0;
}
}
[edit]
user@host# show interfaces
root@10.52.45.4# show interfaces
ge-0/0/2 {
description ha_link;
unit 0 {
family inet {
address 10.22.0.2/24;
}
}
}
ge-0/0/3 {
description trust;
unit 0 {
family inet {
address 10.3.0.2/16;
}
}
}
ge-0/0/4 {
description untrust;
unit 0 {
family inet {
address 10.5.0.1/16;
}
}
}
lo0 {
description untrust;
unit 0 {
family inet {
address 10.11.0.1/32;
address 10.11.0.2/32;
address 10.11.0.3/32;
}
}
}
If
you are done configuring the device, enter commit from
configuration mode.
user@host# commit warning: High Availability Mode changed, please reboot the device to avoid undesirable behavior commit complete
Verification
Confirm that the configuration is working properly.
- Check Multinode High Availability Details
- Check Multinode High Availability Peer Node Status
- Check Multinode High Availability Service Redundancy Groups
- Verify the Multinode High Availability Status Before and After Failover
- Verify Interchassis Link (ICL) Encryption Status
- Verify Link Encryption Tunnel Statistics
- Verify Interchassis Link Active Peers
Check Multinode High Availability Details
Purpose
View and verify the details of the Multinode High Availability setup configured on your security device.
Action
From operational mode, run the following command:
On SRX-1
user@host> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 1
Local-IP: 10.22.0.1
HA Peer Information:
Peer Id: 2 IP address: 10.22.0.2 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: UP
Cold Sync Status: COMPLETE
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 2
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 200
Preemption: ENABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
On SRX-2
user@host> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 2
Local-IP: 10.22.0.2
HA Peer Information:
Peer Id: 1 IP address: 10.22.0.1 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: UP
Cold Sync Status: COMPLETE
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 1
Preemption: DISABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Meaning
Verify these details from the command output:
-
Local node and peer node details such as IP address and ID.
-
The field
Encrypted: YESindicates that the traffic is protected. -
The field
Deployment Type: ROUTINGindicates a Layer 3 mode configuration—that is, the network has routers on both sides. -
The field
Services Redundancy Group: 1indicates the status of the SRG1 (ACTIVE or BACKUP) on that node.
Check Multinode High Availability Peer Node Status
Purpose
View and verify the peer node details.
Action
From operational mode, run the following command:
SRX-1
user@host> user@host> show chassis high-availability peer-info
HA Peer Information:
Peer-ID: 2 IP address: 10.22.0.2 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: UP
Cold Sync Status: COMPLETE
Internal Interface: st0.16000
Internal Local-IP: 180.100.1.1
Internal Peer-IP: 180.100.1.2
Internal Routing-instance: __juniper_private1__
Packet Statistics:
Receive Error : 0 Send Error : 0
Packet-type Sent Received
SRG Status Msg 4 4
SRG Status Ack 4 3
Attribute Msg 4 2
Attribute Ack 2 2
SRX-2
user@host> show chassis high-availability peer-info
HA Peer Information:
Peer-ID: 1 IP address: 10.22.0.1 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: UP
Cold Sync Status: COMPLETE
Internal Interface: st0.16000
Internal Local-IP: 180.100.1.2
Internal Peer-IP: 180.100.1.1
Internal Routing-instance: __juniper_private1__
Packet Statistics:
Receive Error : 0 Send Error : 0
Packet-type Sent Received
SRG Status Msg 4 3
SRG Status Ack 3 4
Attribute Msg 3 2
Attribute Ack 2 2
Meaning
Verify these details from the command output:
-
Peer node details such as interface used, IP address, and ID
-
Encryption status, connection status, and cold synchronization status
-
Packet statistics across the node.
Check Multinode High Availability Service Redundancy Groups
Purpose
Verify that the SRGs are configured and working correctly.
Action
From operational mode, run the following command:
For SRG0:
user@host> show chassis high-availability services-redundancy-group 0
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 2
For SRG1:
user@host> show chassis high-availability services-redundancy-group 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 200
Preemption: ENABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 2
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
Signal Route Info:
Active Signal Route:
IP: 10.39.1.1
Routing Instance: default
Status: INSTALLED
Backup Signal Route:
IP: 10.39.1.2
Routing Instance: default
Status: NOT INSTALLED
Split-brain Prevention Probe Info:
DST-IP: 10.111.0.1
SRC-IP: 10.11.0.1
Routing Instance: default
Status: NOT RUNNING
Result: N/A Reason: N/A
BFD Monitoring:
Status: UP
SRC-IP: 10.4.0.1 DST-IP: 10.4.0.2
Routing Instance: default
Type: SINGLE-HOP
IFL Name: ge-0/0/4.0
State: UP
Meaning
Verify these details from the command output:
-
Peer node details such as deployment type, status, and active and back up signal routes.
-
Virtual IP Information such as IP address and virtual MAC address.
-
IP monitoring and BFD monitoring status.
Verify the Multinode High Availability Status Before and After Failover
Purpose
Check the change in node status before and after failover in a Multinode High Availability setup.
Action
To check the Multinode High Availability status on the backup node (SRX-2), run the following command from operational mode:
user@host> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 2
Local-IP: 10.22.0.2
HA Peer Information:
Peer Id: 1 IP address: 10.22.0.1 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: UP
Cold Sync Status: COMPLETE
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: BACKUP
Activeness Priority: 1
Preemption: DISABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: COMPLETE
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : ACTIVE
Health Status: HEALTHY
Failover Readiness: N/A
Under the Services Redundancy Group: 1 section, you can see the
Status: BACKUP field. This field value indicates that the
status of SRG 1 is backup.
Initiate the failover on the active node (SRX-1 device) and again run the command on the backup node (SRX-2 device).
user@host> show chassis high-availability information
Node failure codes:
HW Hardware monitoring LB Loopback monitoring
MB Mbuf monitoring SP SPU monitoring
CS Cold Sync monitoring SU Software Upgrade
Node Status: ONLINE
Local-id: 2
Local-IP: 10.22.0.2
HA Peer Information:
Peer Id: 1 IP address: 10.22.0.1 Interface: ge-0/0/2.0
Routing Instance: default
Encrypted: YES Conn State: DOWN
Cold Sync Status: IN PROGRESS
Services Redundancy Group: 0
Current State: ONLINE
Peer Information:
Peer Id: 1
SRG failure event codes:
BF BFD monitoring
IP IP monitoring
IF Interface monitoring
CP Control Plane monitoring
Services Redundancy Group: 1
Deployment Type: ROUTING
Status: ACTIVE
Activeness Priority: 1
Preemption: DISABLED
Process Packet In Backup State: NO
Control Plane State: READY
System Integrity Check: N/A
Failure Events: NONE
Peer Information:
Peer Id: 1
Status : BACKUP
Health Status: HEALTHY
Failover Readiness: READY
Note that under the Services Redundancy Group: 1 section, the
status of SRG1 has changed from BACKUP to
ACTIVE.
You can also see peer node details under the Peer Information
section. The output shows the status of peer as
BACKUP.
Verify Interchassis Link (ICL) Encryption Status
Purpose
Verify the interchassis link (ICL) status.
Action
From operational mode, run the following command:
user@host> show security ipsec security-associations ha-link-encryption detail
ID: 495001 Virtual-system: root, VPN Name: IPSEC_VPN_ICL
Local Gateway: 10.22.0.1, Remote Gateway: 10.22.0.2
Traffic Selector Name: __IPSEC_VPN_ICL__multi_node__
Local Identity: ipv4(180.100.1.1-180.100.1.1)
Remote Identity: ipv4(180.100.1.2-180.100.1.2)
TS Type: traffic-selector
Version: IKEv2
PFS group: N/A
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Tunnel MTU: 0, Policy-name: MNHA_IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
HA Link Encryption Mode: Multi-Node
Location: FPC -, PIC -, KMD-Instance -
Anchorship: Thread -
Distribution-Profile: default-profile
Direction: inbound, SPI: 0x0005a7ec, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3597 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2900 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
Location: FPC 0, PIC 0, KMD-Instance 0
Anchorship: Thread 0
IKE SA Index: 4294966273
Direction: outbound, SPI: 0x000a2aba, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3597 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2900 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
Location: FPC 0, PIC 0, KMD-Instance 0
Anchorship: Thread 0
IKE SA Index: 4294966273
Meaning
The command output provides the following information:
-
The local gateway and remote gateway details.
-
The IPsec SA pair for each threads in PIC.
-
HA link encryption mode (as shown in the following line):
HA Link Encryption Mode: Multi-Node -
Authentication and encryption algorithms used
Verify Link Encryption Tunnel Statistics
Purpose
Verify link encryption tunnel statistics on both active and backup nodes.
Action
From operational mode, run the following command:
user@host> show security ipsec statistics ha-link-encryption ESP Statistics: Encrypted bytes: 984248 Decrypted bytes: 462519 Encrypted packets: 9067 Decrypted packets: 8797 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 Invalid SPI: 0, TS check fail: 0 Exceeds tunnel MTU: 0 Discarded: 0
Meaning
If you see packet loss issues across a VPN, you can run the show
security ipsec statistics ha-link-encryption command several
times to verify that the encrypted and decrypted packet counters are
incrementing. You should also check whether the other error counters are
incrementing.
Use the
clear security ipsec
security-associations ha-link-encryption
command to clear all IPsec statistics.
Verify Interchassis Link Active Peers
Purpose
View only ICL active peers, but not regular IKE active peers.
Action
From operational mode, run the following command:
SRX-1
user@host> show security ike active-peer ha-link-encryption
Remote Address Port Peer IKE-ID AAA username Assigned IP
10.22.0.2 500 10.22.0.2 not available 0.0.0.0
SRX-2
user@host> show security ike active-peer ha-link-encryption Remote Address Port Peer IKE-ID AAA username Assigned IP 10.22.0.1 500 10.22.0.1 not available 0.0.0.0
Meaning
Command output displays only the active peer of the ICL with details such as the peer addresses and ports the active peer is using.