[j-nsp] Juniper SRX MNHA

Kevin Shymkiw kshymkiw at gmail.com
Mon Aug 4 14:42:50 EDT 2025 

I have never messed with MNHA, but one thing sticks out to me as weird

srx01 is Active for the RG's, but backup for the Control Plane.  Is that
normal?  Why would the active RG node, not also be the Active control plane
during normal operation?

Kevin

On Mon, Aug 4, 2025 at 12:40 PM Aaron Gould via juniper-nsp <
juniper-nsp at puck.nether.net> wrote:

> I have (2) SRX2300 firewalls in the switching/default gateway MNHA
> mode.  Anyone know why I'm not seeing sessions synchronized to the
> backup srx?  I'm I correct that active/backup provides for session state
> to be sent to backup for hitless failover?
>
> They both run current JTAC recommended 23.4R2-S5.5
>
> They both have exact same interfaces for untrust, trust and ha-link zones
>
> Let me know if you need any more info from me to assist with tshoot.
>
>
> root at srx01> show chassis high-availability information | grep
> "status|group|state"
> Node Status: ONLINE
>      Encrypted: NO     Conn State: UP
>      Cold Sync Status: COMPLETE
> Services Redundancy Group: 0
>          Current State: ONLINE
> Services Redundancy Group: 1
>          Status: ACTIVE
>          Process Packet In Backup State: NO
>          Control Plane State: READY
>            Status : BACKUP
>            Health Status: HEALTHY
>
>
> root at srx02> show chassis high-availability information | grep
> "status|group|state"
> Node Status: ONLINE
>      Encrypted: NO     Conn State: UP
>      Cold Sync Status: COMPLETE
> Services Redundancy Group: 0
>          Current State: ONLINE
> Services Redundancy Group: 1
>          Status: BACKUP
>          Process Packet In Backup State: NO
>          Control Plane State: READY
>            Status : ACTIVE
>            Health Status: HEALTHY
>
>
>
> nothing seen on backup....
>
> ==============================================================
>
> root at srx01> show security flow session destination-prefix 12.0.1.28
>
> Session ID: 718626, Policy name: default-permit/5, HA State: Active,
> Timeout: 1800, Session State: Valid
>
> In: 192.168.11.5/37862 --> 12.0.1.28/23;tcp, Conn Tag: 0x0, If: ae2.0,
> Pkts: 123, Bytes: 5014, HA Wing State: Active,
>
> Out: 12.0.1.28/23 --> 123.123.123.226/9616;tcp, Conn Tag: 0x0, If:
> ae1.0, Pkts: 112, Bytes: 10648, HA Wing State: Active,
>
> Total sessions: 1
>
> ==============================================================
>
> root at srx02> show security flow session destination-prefix 12.0.1.28
>
> Total sessions: 0
>
> root at srx02> show security flow session session-state ?
>
> Possible completions:
>
> active-warm MNHA session with one active wing and one warm wing
>
> backup L2 HA backup session
>
> warm L3 HA warm session
>
> root at srx02> show security flow session session-state active-warm
>
> Total sessions: 0
>
> root at srx02> show security flow session session-state backup
>
> Total sessions: 0
>
> root at srx02> show security flow session session-state warm
>
> Total sessions: 0
>
>
> --
> -Aaron
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list