[j-nsp] Juniper SRX MNHA

Eric Harrison eric.harrison at cascadetech.org
Mon Aug 4 15:45:35 EDT 2025 

I haven't tested switching mode, replication may very well behave
differently than routing mode.  Have you tried the good old-fashion
breaking of the primary node to see what happens?


I don't know if this will be helpful or not, but there is my config &
example of what I see on replicated sessions:


SRX1> show configuration chassis high-availability
local-id {
    1;
    local-ip X.X.X..255;
}
peer-id 2 {
    peer-ip X.X.X..254;
    interface lo0.1;
    routing-instance HA-LINK;
    vpn-profile IPSEC_VPN_ICL;
    liveness-detection {
        minimum-interval 1000;
        multiplier 3;
    }
}
services-redundancy-group 0 {
    peer-id {
        2;
    }
}


SRX2> > show configuration chassis high-availability
local-id {
    2;
    local-ip X.X.X..254;
}
peer-id 1 {
    peer-ip X.X.X..255;
    interface lo0.1;
    routing-instance HA-LINK;
    vpn-profile IPSEC_VPN_ICL;
    liveness-detection {
        minimum-interval 1000;
        multiplier 3;
    }
}
services-redundancy-group 0 {
    peer-id {
        1;
    }
}





SRX1> show security flow session destination-prefix 100.122.0.142
Session ID: 1487460, Policy name: TEST/11, HA State: Active, Timeout: 1796,
Session State: Valid
  In: 100.100.1.1/41240 --> 100.122.0.142/22;tcp, Conn Tag: 0x0, If:
et-1/0/1.230, Pkts: 8, Bytes: 2177, HA Wing State: Active,
  Out: 100.122.0.142/22 --> 100.100.1.1/41240;tcp, Conn Tag: 0x0, If:
et-1/0/1.124, Pkts: 5, Bytes: 1807, HA Wing State: Active,

SRX2> show security flow session destination-prefix 100.122.0.142
Session ID: 718870, Policy name: TEST/11, HA State: Warm, Timeout: 14384,
Session State: Valid
  In: 100.100.1.1/41240 --> 100.122.0.142/22;tcp, Conn Tag: 0x0, If:
et-1/0/1.230, Pkts: 0, Bytes: 0, HA Wing State: Warm,
  Out: 100.122.0.142/22 --> 100.100.1.1/41240;tcp, Conn Tag: 0x0, If:
et-1/0/1.124, Pkts: 0, Bytes: 0, HA Wing State: Warm,



On Mon, Aug 4, 2025 at 12:18 PM Aaron1 <aaron1 at gvtc.com> wrote:

> My interfaces are same on both.
>
>
> root at srx01> show security zones | grep "\^security zone|interfaces|ae"
>
>
> Security zone: halink
>
>
>   Interfaces bound: 1
>
>
>   Interfaces:
>
>
> ae3.0
>
>
> Security zone: trust
>
>
>   Interfaces bound: 1
>
>
>   Interfaces:
>
>
> ae2.0
>
>
> Security zone: untrust
>
>
>   Interfaces bound: 1
>
>
>   Interfaces:
>
>
> ae1.0
>
>
> Security zone: junos-host
>
>
>   Interfaces bound: 0
>
>
>   Interfaces:
>
>
> ====================================
>
> root at srx02> show security zones | grep "\^security zone|interfaces|ae"
>
>
> Security zone: halink
>
>
>   Interfaces bound: 1
>
>
>   Interfaces:
>
>
> ae3.0
>
>
> Security zone: trust
>
>
>   Interfaces bound: 1
>
>
>   Interfaces:
>
>
> ae2.0
>
>
> Security zone: untrust
>
>
>   Interfaces bound: 1
>
>
>   Interfaces:
>
>
> ae1.0
>
>
> Security zone: junos-host
>
>
>   Interfaces bound: 0
>
>
>   Interfaces:
>
>
> Aaron
>
> On Aug 4, 2025, at 2:10 PM, Eric Harrison <eric.harrison at cascadetech.org>
> wrote:
>
> 
>
> We are preparing to rollout MNHA on two SRX4600's, ours will be in routing
> mode but presumably switch mode will have the same basic requirements.
>
> We saw the same thing initially, where the second unit was not showing the
> session.  For the session replication to work as expected,  the interfaces,
> zone names, etc have to be the same on both units.
>
> I.e. if on SRX1 you have et-0/0/0 == ZoneA and et-0/0/1 == Zone B, and on
> SRX2 you have et-0/0/0 == ZoneA and et-0/0/2 == Zone B,   only Zone A will
> automagically replicate sessions.
>
> Pretty nifty tech, fingers crossed that production goes as well as our lab
> testing.
>
> -Eric
>
> On Mon, Aug 4, 2025 at 11:40 AM Aaron Gould via juniper-nsp <
> juniper-nsp at puck.nether.net> wrote:
>
>> I have (2) SRX2300 firewalls in the switching/default gateway MNHA
>> mode.  Anyone know why I'm not seeing sessions synchronized to the
>> backup srx?  I'm I correct that active/backup provides for session state
>> to be sent to backup for hitless failover?
>>
>> They both run current JTAC recommended 23.4R2-S5.5
>>
>> They both have exact same interfaces for untrust, trust and ha-link zones
>>
>> Let me know if you need any more info from me to assist with tshoot.
>>
>>
>> root at srx01> show chassis high-availability information | grep
>> "status|group|state"
>> Node Status: ONLINE
>>      Encrypted: NO     Conn State: UP
>>      Cold Sync Status: COMPLETE
>> Services Redundancy Group: 0
>>          Current State: ONLINE
>> Services Redundancy Group: 1
>>          Status: ACTIVE
>>          Process Packet In Backup State: NO
>>          Control Plane State: READY
>>            Status : BACKUP
>>            Health Status: HEALTHY
>>
>>
>> root at srx02> show chassis high-availability information | grep
>> "status|group|state"
>> Node Status: ONLINE
>>      Encrypted: NO     Conn State: UP
>>      Cold Sync Status: COMPLETE
>> Services Redundancy Group: 0
>>          Current State: ONLINE
>> Services Redundancy Group: 1
>>          Status: BACKUP
>>          Process Packet In Backup State: NO
>>          Control Plane State: READY
>>            Status : ACTIVE
>>            Health Status: HEALTHY
>>
>>
>>
>> nothing seen on backup....
>>
>> ==============================================================
>>
>> root at srx01> show security flow session destination-prefix 12.0.1.28
>>
>> Session ID: 718626, Policy name: default-permit/5, HA State: Active,
>> Timeout: 1800, Session State: Valid
>>
>> In: 192.168.11.5/37862 --> 12.0.1.28/23;tcp, Conn Tag: 0x0, If: ae2.0,
>> Pkts: 123, Bytes: 5014, HA Wing State: Active,
>>
>> Out: 12.0.1.28/23 --> 123.123.123.226/9616;tcp, Conn Tag: 0x0, If:
>> ae1.0, Pkts: 112, Bytes: 10648, HA Wing State: Active,
>>
>> Total sessions: 1
>>
>> ==============================================================
>>
>> root at srx02> show security flow session destination-prefix 12.0.1.28
>>
>> Total sessions: 0
>>
>> root at srx02> show security flow session session-state ?
>>
>> Possible completions:
>>
>> active-warm MNHA session with one active wing and one warm wing
>>
>> backup L2 HA backup session
>>
>> warm L3 HA warm session
>>
>> root at srx02> show security flow session session-state active-warm
>>
>> Total sessions: 0
>>
>> root at srx02> show security flow session session-state backup
>>
>> Total sessions: 0
>>
>> root at srx02> show security flow session session-state warm
>>
>> Total sessions: 0
>>
>>
>> --
>> -Aaron
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> --
> Eric Harrison
> Network Services
> Cascade Technology Alliance / Multnomah Education Service District
> office: 503-257-1554   cell: 971-998-6249   NOC 503-257-1510
>
>

-- 
Eric Harrison
Network Services
Cascade Technology Alliance / Multnomah Education Service District
office: 503-257-1554   cell: 971-998-6249   NOC 503-257-1510

More information about the juniper-nsp mailing list