[j-nsp] Juniper SRX MNHA

Eric Harrison eric.harrison at cascadetech.org
Mon Aug 4 15:08:57 EDT 2025 

We are preparing to rollout MNHA on two SRX4600's, ours will be in routing
mode but presumably switch mode will have the same basic requirements.

We saw the same thing initially, where the second unit was not showing the
session.  For the session replication to work as expected,  the interfaces,
zone names, etc have to be the same on both units.

I.e. if on SRX1 you have et-0/0/0 == ZoneA and et-0/0/1 == Zone B, and on
SRX2 you have et-0/0/0 == ZoneA and et-0/0/2 == Zone B,   only Zone A will
automagically replicate sessions.

Pretty nifty tech, fingers crossed that production goes as well as our lab
testing.

-Eric

On Mon, Aug 4, 2025 at 11:40 AM Aaron Gould via juniper-nsp <
juniper-nsp at puck.nether.net> wrote:

> I have (2) SRX2300 firewalls in the switching/default gateway MNHA
> mode.  Anyone know why I'm not seeing sessions synchronized to the
> backup srx?  I'm I correct that active/backup provides for session state
> to be sent to backup for hitless failover?
>
> They both run current JTAC recommended 23.4R2-S5.5
>
> They both have exact same interfaces for untrust, trust and ha-link zones
>
> Let me know if you need any more info from me to assist with tshoot.
>
>
> root at srx01> show chassis high-availability information | grep
> "status|group|state"
> Node Status: ONLINE
>      Encrypted: NO     Conn State: UP
>      Cold Sync Status: COMPLETE
> Services Redundancy Group: 0
>          Current State: ONLINE
> Services Redundancy Group: 1
>          Status: ACTIVE
>          Process Packet In Backup State: NO
>          Control Plane State: READY
>            Status : BACKUP
>            Health Status: HEALTHY
>
>
> root at srx02> show chassis high-availability information | grep
> "status|group|state"
> Node Status: ONLINE
>      Encrypted: NO     Conn State: UP
>      Cold Sync Status: COMPLETE
> Services Redundancy Group: 0
>          Current State: ONLINE
> Services Redundancy Group: 1
>          Status: BACKUP
>          Process Packet In Backup State: NO
>          Control Plane State: READY
>            Status : ACTIVE
>            Health Status: HEALTHY
>
>
>
> nothing seen on backup....
>
> ==============================================================
>
> root at srx01> show security flow session destination-prefix 12.0.1.28
>
> Session ID: 718626, Policy name: default-permit/5, HA State: Active,
> Timeout: 1800, Session State: Valid
>
> In: 192.168.11.5/37862 --> 12.0.1.28/23;tcp, Conn Tag: 0x0, If: ae2.0,
> Pkts: 123, Bytes: 5014, HA Wing State: Active,
>
> Out: 12.0.1.28/23 --> 123.123.123.226/9616;tcp, Conn Tag: 0x0, If:
> ae1.0, Pkts: 112, Bytes: 10648, HA Wing State: Active,
>
> Total sessions: 1
>
> ==============================================================
>
> root at srx02> show security flow session destination-prefix 12.0.1.28
>
> Total sessions: 0
>
> root at srx02> show security flow session session-state ?
>
> Possible completions:
>
> active-warm MNHA session with one active wing and one warm wing
>
> backup L2 HA backup session
>
> warm L3 HA warm session
>
> root at srx02> show security flow session session-state active-warm
>
> Total sessions: 0
>
> root at srx02> show security flow session session-state backup
>
> Total sessions: 0
>
> root at srx02> show security flow session session-state warm
>
> Total sessions: 0
>
>
> --
> -Aaron
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


-- 
Eric Harrison
Network Services
Cascade Technology Alliance / Multnomah Education Service District
office: 503-257-1554   cell: 971-998-6249   NOC 503-257-1510

More information about the juniper-nsp mailing list