View Only
last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX HA Active Active

    Posted 05-23-2020 06:32



    I am following this documentation to configure active/active SRX:


    From what I understand the priority of node inside a redundancy group controls if the traffic is active on a particular node, however in the example the connections the ISP are not inside a redundancy group.


    I want local traffic to use both paths to ISP-A and ISP-B will I need to configure two extra redundancy groups to acheive this, One with a priority on node0 and one with a higher priority on node1?


    Also if one of the ISP connections goes down how would traffic fail-over to the other device?


    I am labbing this on eve-ng with vsrx to create a working example, any advice would be appreciated.




  • 2.  RE: SRX HA Active Active

    Posted 05-23-2020 07:46

    Redundancy groups are for when you want the same connection to failover between the nodes in the cluster.


    If a connection is a single dedicated link, like the two ISP in the example, they are standard interfaces that are active for traffic as long as the link is up and available but will no longer be available when the node or link fails.


    For using both ISP when they are both available that is a routing configuration issue.  You have two valid paths so you have to decide what routing method you want to use to load share the paths.  The two main options are ECMP (equal cost multipath) or FBF (filter based forwarding).


  • 3.  RE: SRX HA Active Active

    Posted 05-23-2020 15:42

    Hi Steve,


    So essentially I could use BGP multipath with BFD and since node0 is the control plane, if one of the neighbours/ISPs links went down, traffic would just be forwarded out the other active ISP connection, due to losing the route?





  • 4.  RE: SRX HA Active Active
    Best Answer

    Posted 05-24-2020 08:19

    Yes routing is often a separate configuration choice once you go active/active.


    Think of your active/active cluster as a single router with two physical blades.

    The brains only exist on one device but will failover to the other if that chassis fails.

    Reth interfaces allow you to have interfaces that will failover if a chassis fails so offer that type of interface protection.

    Single attached interfaces will fail when a link or a chassis fails so you can use routing failovers to protect traffic on these.

    Multiple paths are likewise addressed by standard routing protocols as either ecmp or backup paths.

    FBF can allow you to forward on multiple paths with more specific address or port level controls.