Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configure Multinode High Availability on SRX Series Firewalls in a Layer 3 Network

This example shows how to configure and verify Multinode High Availability setup in Layer 3 deployment.

Overview

In multinode High Availability, participating SRX Series Firewalls operate as independent nodes in a Layer 3 network. The nodes are connected to adjacent infrastructure belonging to different networks. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. Participating nodes backup each other to ensure a fast synchronized failover in case of system or hardware failure.

In Multinode High Availability, activeness is determined at the services redundancy group (SRG) level. The SRX Series Firewall, on which the SRG1 is active, hosts the floating IP address and steers traffic towards it using the floating IP address. During a failover, the floating IP address moves from the old active node to the new active node and continues the communication client devices.

Example Prerequisites

Software requirements

  • Supported firewall devices with Junos OS Release 22.4R1 or later. This example is tested with Junos OS Release 25.4R1.

  • Configure firewall filtering and quality of service (QoS) as per your network requirements and have appropriate security policies to manage traffic in your network.

  • In a typical high-availability setup, you use multiple routers and switches on both the northbound and southbound sides. In this example, use two routers on each side of the firewalls. Configure all upstream and downstream routers according to your network requirements

  • Install the Junos IKE package on your security devices using the request system software add optional://junos-ike.tgz command. The junos-ike package is included in your Junos software packages (Junos OS Release 20.4R1 onwards).

Before You Begin

Functional Overview

Technologies used

  • Multinode high availability
  • Monitoring options
  • Interfaces and zones
  • Routing policy, protocols, and routing options

Primary verification tasks

  • High Availability information about both nodes

Topology Overview

Figure 1 shows the topology used in this example.

Figure 1: Multinode High Availability in Layer 3 Deployment Multinode High Availability in Layer 3 Deployment

In this Layer 3 multinode high availability (MNHA) deployment, two SRX firewalls (SRX‑01 and SRX‑02) operate as independent routing nodes connected to upstream (R2) and downstream (R1) routers over routed interfaces.

  • Each SRX has its own interface IP addresses on the trust and untrust sides.
  • The nodes are interconnected through an interchassis link (ICL) over a routed network (HA link).
  • A floating loopback IP address (10.11.0.1/32) is configured on both nodes and is owned by the active node in the services redundancy group (SRG).
  • Traffic from R1 (trust side) and R2 (untrust side) is routed to the active node based on routing decisions (for example, BGP policies).
  • The active node forwards traffic, while the backup node remains ready to take over.
  • During a failover:
    • The floating IP moves to the backup node.
    • Routing updates (for example, via BGP metrics) redirect traffic to the new active node.
    • Traffic continues with minimal disruption.

In a typical high availability deployment, you have multiple routers and switches on the northbound and southbound sides of the network. For this example, we are using two routers on both sides of SRX Series Firewalls.

In this example, you'll establish high availability between the SRX Series Firewalls and secure the tunnel traffic by enabling HA link encryption.

Table 1 and Table 2 show the details on interfaces configuration used in this example.

Table 1: Interfaces and IP Address Configuration on Security Devices
Device Interface Zone IP Address Configured For
SRX-01 lo0.0

Untrust

10.11.0.1/32

Floating IP address

IKE Gateway address

ge-0/0/2.0

HA Link

10.22.0.1/24

Connecting ICL

ge-0/0/4.0

Untrust

10.5.0.1/24

Connects to R2 router

ge-0/0/3.0

Trust

10.3.0.2/24

Connects to R1 router

SRX-02

lo0.0

Untrust

10.11.0.1/32

Floating IP address

ge-0/0/2.0

HA Link

10.22.0.2/24

Connecting ICL

ge-0/0/3.0

Trust

10.2.0.2/24

Connects to R1 router

ge-0/0/4.0

Untrust

10.4.0.1/24

Connects to R2 router

Table 2: Interfaces and IP Address Configuration on Routing Devices
Device Interface IP Address Configured For
Router 1 (R1) lo0

10.111.0.1/32

Loopback interface address of R1

ge-0/0/1.0

10.3.0.1/24

Connects to SRX-01

ge-0/0/0.0

10.2.0.1/24

Connects to SRX-02

Router 2 (R2) lo0

10.111.0.2/32

Loopback interface address of R2

ge-0/0/0.0

10.4.0.2/24

Connects to SRX-02

ge-0/0/1.0

10.5.0.2/24

Connects to SRX-01

Configure Firewalls

  1. Configure interfaces for ICL, internal traffic, and for external traffic. Setup the loopback interface lo0.0 with a floating IP address to reach the peer gateway. The same loopback IP (10.11.0.1) is configured on both nodes and acts as a floating IP associated with the active SRG.
    • SRX-01
    • SRX-02
  2. Configure security zones as required for your network, and allow necessary host‑inbound system services.
    • SRX-01
    • SRX-02
    CAUTION:

    The configuration examples provided in this document allow all host inbound protocols and services for simplicity. In a production deployment, you must restrict inbound access to only the protocols and services required for your environment. For an MNHA setup, this configuration typically includes allowing IKE, BGP, and BFD. Always tailor the security rules to align with your network and security requirements.

  3. Configure the security policy.
    CAUTION:

    The security policy shown in this example is only for demonstration and testing. You should configure security policies as per your network needs. Ensure that your security policies allow only the applications, users, and devices that you trust.

    SRX-01 and SRX-02

  4. Configure the local and peer node IDs on both security devices. Assign unique identifiers so each device can determine its role in the MNHA pair.
    • SRX-01
    • SRX-02
  5. Configure services redundancy groups SRG1 and SRG2. Use separate redundancy groups as needed to manage failover for different service sets.
    • SRX-01
    • SRX-02

      You can configure up to 64 IP addresses for IP monitoring and activeness probing. The total 64 IP addresses is sum of the number of IPv4 and IPv6 addresses.

  6. Configure routing policy and routing options. Define route preferences and policies that support MNHA failover and traffic steering. In this step, you configure:
    • Active/active traffic distribution across MNHA nodes
    • Policy‑controlled BGP advertisement per SRG
    • Configure BFD monitoring. BFD provides fast failure detection for protected links and paths.
    • Symmetric IPsec traffic forwarding
    • Configure MNHA route export policy. This configuration advertises routes with a preferred metric (metric 10) when active and less preferred metric (metric 20) when backup.

      SRX-01SRX-02
    • Define conditional health checks. This configuration determines whether the node is active or backup for each SRG based on route presence.

      SRX-01SRx-02
      Note: You must specify the active signal route along with the route-exists policy in the policy-options statement. When you configure the active-signal-route with if-route-exists condition, the HA module adds this route to the routing table.
      Note:

      Configure active signal routes 10.39.1.1 with the if-route-exists match condition. MNHA adds these routes when a node becomes active, and the node advertises the routes with higher preference. Configure backup signal routes 10.39.1.2 with medium priority for the standby node. On failure, the HA link goes down, the active node drops its primary role and removes the active signal route. The backup node detects this through probes, becomes active, and its route preference increases to take all traffic.

    • Configure BGP.

      SRX-01SRX-02
  7. Configure base reachability required for BGP conditions.
    • SRX-01
      • SRX-02
  8. Encrypt the ICL. Configure a VPN profile for ICL high‑availability traffic using IKEv2 and define IKE and IPsec parameters that protect MNHA control and state synchronization over the ICL.
    • SRX-01 and SRX-02

      Note:
      • Specifying the ha-link-encryption option encrypts the ICL to secure high availability traffic flow between the nodes.

      • The same VPN name ICL_IPSEC_VPN must be mentioned for vpn_profile in the set chassis high-availability peer-id <id> vpn-profile vpn_profile configuration.

      • For the Multinode High availability feature, you must configure the IKE version as v2-only

Verification

Use the show commands to confirm that the configuration is working properly.

Table 3: Show Commands for Verification
Command Verification Task

show chassis high-availability information

Display details of the MNHA status on your security device including health status of the peer node.

show chassis high-availability services-redundancy-group

Display status service redundancy groups in your MNHA setup.

Check Multinode High Availability Setup

Purpose

View and verify the details of the Multinode High Availability setup configured on your security device.

Action

From operational mode, run the following command:

SRX-01

SRX-02

Meaning

Verify these details from the command output:

  • Local node and peer node details such as IP address and ID.

  • The field Encrypted: YES indicates that the traffic is protected.

  • The field Deployment Type: ROUTING indicates a Layer 3 mode configuration—that is, the network has routers on both sides.

  • The field Services Redundancy Group: 1 indicate the status of the SRG1 as active or backup on that node.

Check Multinode High Availability Service Redundancy Groups

Purpose

Verify that the SRGs are configured and working correctly.

Action

From operational mode, run the following command:

SRX-01

SRX-02

Meaning

Verify these details from the command output:

  • Peer node details such as deployment type, status, active and back up signal routes.

  • Split-brain preventions probe, IP monitoring and BFD monitoring status.

  • Associated IP prefix table.

Set Commands on all Devices

vSRX Virtual Firewall (SRX-01)

vSRX Virtual Firewall (SRX-02)

Router 1

Router 2

Show Configuration Output

From configuration mode, confirm your configuration by entering the show high availability, show security zones, and show interfaces commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

vSRX Virtual Firewall (SRX-01)

vSRX Virtual Firewall (SRX-02)