[j-nsp] Juniper SRX MNHA with JSC

[Aaron Gould]

Circling back on this... with my question about my JSC remote access vpn 
not working with my current MNHA deployment type (using the switching 
(def gw) mode)...I've heard various things about my needing to rethink 
the way I'm testing MNHA, like needing to go with "deployment-type 
routing", enable IPsec encryption on my ha icl, and I think a few other 
things...

Using a link provided to me...I found the following that seems to work.
https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/concept/mnha-ipsec-vpn.html
Under "Associate IPsec VPN Service to an SRG" I used the following 
command for associating ipsec as a managed-service to srg 1 and now I 
can connect using JSC on my windows 11 laptop, and i see ike and ipsec 
sa's on both active and backup srx's... and, i can failover active srx, 
and my jsc vpn fails-over too.  yay!  Before I celebrate too much, are 
there any concerns with this?


...showing my deployment type and managed-service IPsec commands on both 
srx's...

set chassis high-availability services-redundancy-group 1 
deployment-type switching
...
set chassis high-availability services-redundancy-group 1 
managed-services ipsec


cli output...

me at srx01> show chassis high-availability information detail | grep "^ha 
peer info|peer-id|encryp|ipsec|^service.+1$|deploy"
HA Peer Information:
    Peer-ID: 2        IP address: 172.21.0.1    Interface: ae3.0
    Encrypted: NO     Conn State: UP
Services Redundancy Group: 1
         Deployment Type: SWITCHING
         Services: [ IPSEC ]


me at srx02> show chassis high-availability information detail | grep "^ha 
peer info|peer-id|encryp|ipsec|^service.+1$|deploy"
HA Peer Information:
    Peer-ID: 1        IP address: 172.21.0.0    Interface: ae3.0
    Encrypted: NO     Conn State: UP
Services Redundancy Group: 1
         Deployment Type: SWITCHING
         Services: [ IPSEC ]