Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Configure Multinode High Availability with Junos OS Configuration Groups

Read this topic to understand how to configure Multinode High Availability using Junos OS configuration groups.

In Multinode High Availability, two SRX Series Firewalls act as independent devices. These devices have unique hostname and the IP address on fxp0 interface. You can configure Multinode High Availability using Junos groups statements. To ensure identical security configurations and posture between two devices, you can configure groups for Multinode High Availability setup. Multinode High Availability nodes synchronize configurations exclusively based on this group method.

When you need to configure statements that are common on both nodes, you can use one of the following approaches:

  • You can configure common configuration (like security) on one device and manually copy and paste on the other device. Or you can use some external tool (example: scripting) to copy the same configuration snippets to both devices as applicable.

  • Use common Junos group configuration synchronized between both nodes (but edited on one device). This approach includes:

    • Configure the feature/function as part of groups. These configuration groups enable you to create smaller, more logically constructed configuration files

    • Synchronize the configuration using the edit system commit peers-synchronize option.

    • Mention the device name in the group using the when peers <device-name> statement.

    When you enable configuration synchronization (by using the peers-synchronize option) on both the devices in a Multinode High Availability, configuration settings you configure on one peer under [groups] will automatically sync to the other peer upon the commit action.

    For more details on configuration groups, see Use Configuration Groups to Quickly Configure Devices.

    Note that on Security Director or Security Director Cloud, the system manages reusable configuration snippets, similar to Junos Groups, through the use of policy templates and shared objects.

In this example, we’ll configure Multinode High Availability using Junos groups statements.

Tip:
Table 1: Time Estimates

Reading Time

30 minutes

Configuration Time

60 minutes

Example Prerequisites

Table 2 lists the hardware and software components that support the configuration.

Table 2: Requirements

Hardware requirements

SRX Series Firewalls that support Multinode High Availability or vSRX Virtual Firewalls.

Software requirements

We’ve tested this example using Junos OS Release 24.4R1. Support for Junos OS Groups is available starting in Junos OS Release 7.4 and support for Multinode High Availability is available in Junos OS 20.4R1. See Feature Explorer for details.

Junos IKE package is required on your SRX Series Firewalls for Multinode High Availability configuration. This package is available as a default package or as an optional package on SRX Series Firewalls. See Support for Junos IKE Package for details.

If the package is not installed by default on your SRX Series firewall, use the following command to install it:

user@host> request system software add optional://junos-ike.tgz

You require this step for ICL encryption.

Licensing requirements

No separate license is required to configure Multinode High Availability. Licenses needed for features such as IDP, Application Identification, Juniper ATP Cloud are unique to each SRX Series firewall and need to be set on each device. Licenses are unique to each SRX Series Firewall and cannot be shared between the nodes in a Multinode High Availability setup. Therefore, you must use identical licenses on both the nodes.

In this example, we've used two vSRX Virtual Firewalls with Junos OS Release 24.4R1 and two vSRX instances as upstream and downstream routers.

Before You Begin

Know more

Using groups configuration in Multinode High Availability simplifies the setup by allowing you to create reusable configuration blocks. These groups can be applied across different parts of the configuration, ensuring consistency and reducing the need for repetitive entries. This approach makes the configuration files more concise and logically structured. Group configuration helps in easy maintenance of configuration files on Juniper Networks devices.

Learn more

Multinode High Availability, Use Configuration Groups to Quickly Configure Devices

Functional Overview

Table 3 provides a quick summary of the configuration components deployed in this example.

Table 3: Configuration Components

Technologies used

  • High availability

  • Junos OS Configuration Groups

  • IPsec VPN

  • Routing policy

  • Routing options

Primary verification tasks

  1. Verify the high availability on both the nodes in the setup.

  2. Verify the Multinode High Availability data plane statistics.

Topology Illustration

Figure 1 shows the topology used in this configuration example.

Figure 1: Multinode High Availability in Layer 3 Network Multinode High Availability in Layer 3 Network

As shown in the topology, two SRX Series Firewalls are connected to adjacent routers (vSRX instances acting as routers). An encrypted logical interchassis link (ICL) connects the nodes. The nodes communicate with each other using a routable IP address (floating IP address) over the network. In this example, we've used GE ports for the ICL. We've also configured a routing instance for the ICL path to ensure maximum segmentation.

Loopback interfaces are used to host the IP addresses on SRX Series and routers and the IP address on a loopback unit on each respective node is used for communication. In a typical high availability deployment, you have multiple routers and switches on the northbound and southbound sides of the network. For this example, we are using two vSRX instances as routers on both sides of SRX Series Firewalls.

In this example, you'll create multiple configuration groups on devices and synchronize the configuration.

Topology Overview

Table 4 shows the details on interfaces configuration used in this example.

Table 4: Interfaces and IP Address Configuration on Security Devices
Device Interface IP Address Zone Configured For
SRX-01 lo0.1 172.26.0.11/32 ICL Zone

Local forwarding address used to forward data packet over ICD link.

lo0.1 172.26.0.1/32 ICL Zone ICL
lo0.0 172.25.0.0/32 Left Zone Floating IP address
ge-0/0/1.39 10.1.39.1/24 ICL Zone ICL to node 0 connection
  • ge-0/0/3.100
  • ge-0/0/4.101

  • 10.0.31.10/24

  • 10.0.33.10/24
  • Left Zone
  • Right Zone
 Connects to upstream and downstream routers.
SRX-02 lo0.1 172.26.0.12/32 ICL Zone

Local forwarding address used to forward data packet over ICD link.

lo0.1 172.26.0.2/32 ICL Zone ICL
lo0.0 172.25.0.0/32 Left Zone Floating IP address
ge-0/0/1.39 10.1.39.2/24 ICL Zone ICL to node 0 connection
  • ge-0/0/3.100
  • ge-0/0/4.101
  • 10.0.32.10/24
  • 10.0.34.10/24
  • Left Zone
  • Right Zone
 Connects to upstream and downstream routers.
Table 5: Interfaces and IP Address Configuration on Routing Devices
Device Interface IP Address Configured For
Router 1 (R1) ge-0/0/0.31 10.0.31.1/24 Connects to SRX-01
ge-0/0/1.32 10.0.32.1/24 Connects to SRX-02
Router 2 (R2) ge-0/0/0.33 10.0.33.1/24 Connects to SRX-01
ge-0/0/1.34 10.0.34.1/24 Connects to SRX-02

Configure Multinode High Availability Using Junos Group Statements

  1. Configure common features/functions for Multinode High Availability Using Junos Group statements on active node (SRX-01).

    Note that we have included the term ‘sync’ in the group names as a naming convention to clearly indicate to admins and users that these groups are intended for synchronization.

    1. Configure groups for Multinode High Availability configuration. Within these groups, you can define security zones, security policies, IPsec tunnel definitions, and more.
    2. Configure groups for Multinode High Availability monitoring options.
    3. Configure groups for Multinode High Availability advance monitoring options.
  2. Configure node specific statements on active node (SRX-01).
    1. Configure groups for synchronization.
      Note: You can synchronize the configuration across any interface you choose – normally either through the interface configured as ICL or fxp0, the out-of-band management interface. In this example, we've used the configuration synchronization over ICL.
    2. Configure Multinode High Availability related statements.
    3. Configure IPsec VPN options.
    4. Configure security zone.
    5. Configure interfaces.
    6. Configure policy options.
    7. Configure routing instances and routing option.
    8. Apply configuration groups.
    9. Configure options for the peer node participating in commit synchronization.
      Note: The device names used in this example are vsrx-mnha-n0 and vsrx-mnha-n1. Ensure that you use the host name of your device for this configuration.
      This configuration enables the node to take the configuration commands entered under the sync group and push them to the other node, using the IP address and credentials defined. You must repeat this configuration on the node-01, with changed IP address and hostnames.
  3. Configure node-specific statements on the backup node (SRX-02).
    1. Configure groups for enabling peer sync through ICL.
      Note: The device names used in this example are vsrx-mnha-n0 and vsrx-mnha-n1. Ensure that you use the host name of your device for this configuration.
    2. Configure Multinode High Availability options.
    3. Configure IPsec VPN related options.
    4. Configure security zones.
    5. Configure interfaces.
    6. Configure policy options.
    7. Configure routing-instances and routing options.
    8. Configure options for the peers participating in commit synchronization. Configure options for the peers participating in commit synchronization. This configuration enables the node to take the configuration commands entered under the sync group and push them to the other node, using the IP address and credentials defined.
      Note: The device names used in this example are vsrx-mnha-n0 and vsrx-mnha-n1. Ensure that you use the host name of your device for this configuration.
  4. Use the following command to configure the commit command to automatically perform a peers-synchronize action between peers:
    The local peer (or requesting peer) on which you enable the peers-synchronize statement copies and loads its configuration to the remote (or responding) peer.
    Note:

    Use the set security ssh-known-hosts fetch-from-server and set security ssh-known hosts hoststatements to include the other node as known host. When you commit the configuration, the system displays following message:

    You must add the SSH key fingerprint for the Multinode High Availability peer. This step is needed for the configuration synchronization to work.

Verification

Use the following show commands to verify the feature in this example.

Command Verification Task

show chassis high availability information

Displays Multinode High Availability details including status.
show chassis high-availability peer-info

Displays details such as peer node, connection details, and packet statistics of the peer node in a Multinode High Availability setup.

show chassis high-availability services-redundancy-group

Display the service redundancy group information in a Multinode High Availability setup.

Check Multinode High Availability Details

Purpose

View and verify the details of the Multinode High Availability setup configured on your security device.

Action

From operational mode, run the following commands on both nodes:

Meaning

Verify these details from the command output:

  • Local node and peer node details such as IP address and ID.

  • Node Status: ONLINE indicates that the node is up.

  • Conn State: UP indicates that the ICL link is established and operational.

  • Peer ICD Conn State: UP indicates that the ICD link is established and operational.

  • Encrypted: YES indicates that ICL connection is encrypted.

  • Peer Information Services Redundancy Group indicates peer node is healthy and ready for failover.

Check Multinode High Availability Peer Node Details

Purpose

View details of the peer node in the Multinode High Availability setup.

Action

From operational mode, run the following command:

Meaning

You can get the following details from the command output:

  • Peer ID: 2 shows the ID of the other node.

  • Conn State: UP and Peer ICD Conn State: UP indicate that the both ICL and ICD link are established.

  • Packet Statistics shows packets transferred between the nodes.

Check Multinode High Availability Service Redundancy Group Details

Purpose

View and verify the details of the Multinode High Availability SRG details.

Action

From operational mode, run the following command:

SRX-01 Device

Now run the same command on SRX-02 device and notice the command output differences such as Status, Peer Information and so on.

Meaning

Verify these details from the command output:

  • Deployment Type: ROUTING indicates the Multinode High Availability is setup for Layer 3 (Routing) mode.

  • Status: BACKUP indicates currently the node is operating as Backup node.

  • Peer Information provides peer node details such as deployment type, status, and active and back up signal routes.

  • The output also indicates configured monitoring options and failure events (if any).

Set Commands on All Devices

SRX Series Device Configured as Active Node (vsrx-mnha-n0)

Note: The device names used in this example are vsrx-mnha-n0 and vsrx-mnha-n1. Ensure that you use the host name of your device for this configuration.

SRX Series Device Configured as Backup Node (SRX-02)

Note: The device names used in this example are vsrx-mnha-n0 and vsrx-mnha-n1. Ensure that you use the host name of your device for this configuration.

Router 1 (R1-SRX Series Device Configured as Router)

Router 2 (R2-SRX Series Device Configured as Router)

Show Configuration Output

From configuration mode, confirm your configuration by entering the show high availability, show groups, and other details. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

SRX-01 (Active Node)

SRX-02