High Availability
-
Multihop BFD support in inline mode (MX304, MX10003, MX10004, MX10008, and MX10016)—Starting in Junos OS Release 23.4R1, multihop BFD sessions will operate using inline mode by default instead of distributed mode. Inline mode allows for a higher number of programmable RPD (PRPD) programmed multihop BFD sessions. We support multihop sessions only in inline mode when you configure enhanced IP mode.
You can globally disable multihop BFD using inline mode with the
configuration statement.set protocols bfd mhop-inline-disable
To disable multihop BFD using inline mode on a per BFD session basis, use the
set protocols bgp group group bfd-liveness-detection inline-disable
configuration statement. -
BFD Session Dampening for LACP Interfaces (MX240, MX480, MX960, MX10003)—Starting in Junos OS Release 23.4R1, you can use BFD session damping on LACP interfaces to suppress BFD session state change notifications for a configured time period when thresholds for session flapping are exceeded. Session damping helps reduce potential instability from excessive BFD notifications.
Use the
set bfd-liveness-detection damping
configuration statement at the[edit dynamic-profiles name interfaces name aggregated-ether-option]
hierarchy level to configure BFD session damping.[See BFD Session Damping Overview.]
-
Multinode High Availability support in Microsoft Azure cloud (vSRX)—Starting in Junos OS Release 23.4R1, we support active/backup Multinode High Availability on Juniper Networks vSRX Virtual Firewall Virtual Firewalls for the Microsoft Azure cloud deployments.
By deploying the Multinode High Availability vSRX Virtual Firewalls in Azure, you can protect the workloads running within the virtual network on the Microsoft Azure Cloud. This maximizes availability and increases redundancy, ensuring that your workloads remain secure and accessible at all time.
See [Multinode High Availability Support for vSRX Virtual Firewall Instances in Microsoft Azure Cloud].
-
IPv6 Addresses support for BFD monitoring (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX3.0)—Starting in Junos OS Release 23.4R1, you can configure Bidirectional Forwarding Detection (BFD) monitoring using IPv6 addresses in a Multinode High Availability setup.
See [Multinode High Availability].
-
Active-active Multinode High Availability (SRX1500, SRX4100, SRX4200, SRX4600, and vSRX3.0)—Starting in Junos OS Release 23.4R1, you can operate Multinode High Availability in active-active mode on SRX1500, SRX4100, SRX4200, and SRX4600 Firewalls.
Multinode High Availability supports IPsec VPN in active-active mode with multiple SRGs (SRG1+). In this mode, you can establish multiple active tunnels from both the nodes, based on SRG activeness. Since different SRGs can be active on different nodes, tunnels belonging to these SRGs come up on both nodes independently. Having active tunnels on both the nodes enables encrypting/decrypting data traffic on both the nodes resulting in efficient use of bandwidth.
See [Multinode High Availability].
-
Enhancements for Multinode High Availability monitoring features (SRX1500, SRX4100, SRX4200, and SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 23.4R1, we have added new enhancements for the path monitoring features.
The enhancements add more granular control for the path monitoring by:
- Grouping of monitoring functions
- Monitoring based on the direction (upstream and downstream) associated with an SRG path
- Adding weights associated with each monitoring function
- Monitoring for SRG0 in addition to SRG1+
By grouping related attributes together, the system can process them as a unit, which can lead to more efficient computation and resource utilization.
-
Split-brain protection support for BFD- based probing (SRX1500, SRX4100, SRX4200, and SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 23.4R1, we introduce Bidirectional Forwarding Detection (BFD)-based probing for split-brain protection in Multinode High Availability. This enhancement allows you to use fine-grained control over the probing parameters, providing you the ability to specify the interface, set the minimal-interval, and define the multipliers.
BFD-based probing starts immediately after configuring a service redundancy group (SRG) resulting in quicker response times, providing a significant improvement in the containment of potential split-brain scenarios.
-
Support for asymmetric traffic flows in Multinode High Availability (SRX1500, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 23.4R1, SRX Series Firewalls in Multinode High Availability support asymmetric traffic flows.
While performing deep packet inspection or stateful firewall activity, it is a must that the firewall in the return path have the same state information associated with a packet flow as the state information is built in the originating firewall.
To handle asymmetric traffic flows, the Multinode High Availability requires an additional link known as Inter Chassis Datapath (ICD). ICD has the ability to route the traffic between two nodes. It enables the nodes to redirect asymmetric traffic flows to the peer node that is originally in charge of providing stateful services for these flows.
This feature ensures the completion of TCP security check (such as three-way handshake and sequence check with window scale factor) for asymmetric traffic flows, thereby enhancing the performance and reliability of the network.
See [Asymmetric Traffic Flow Support for Multinode High Availability].
-
Support for running unified ISSU on MPC10 line cards on MX240, MX480, and MX960 routers—Starting in Junos OS Release 23.4R1, we support in-service software upgrade (ISSU) for subscriber services functionality on MPC10 line cards on MX240, MX480, and MX960.
[See request system software in-service-upgrade and Unified ISSU System Requirements]
-
Configure BFD size to support large packets on AFT-enabled devices (MX304, MX10003, MX10004, MX10008, MX10016, MX2010, and MX2020)—Starting in Junos OS Release 23.4R1, on AFT-enabled devices, you can adjust the size of the BFD protocol data units (PDUs) with the
pdu-size
configuration statement at the[edit protocols ospf area area interface interface bfd-liveness-detection]
hierarchy level. You can configure the BFD PDU size from the default of 24 bytes up to a maximum of 9000 bytes.