Security

Hi Community,

Please find the attached image illustrating a sample high availability (HA) architecture using Juniper firewalls (SRX 345) across two sites.

Architecture Overview:

• Two sites (Site-1 and Site-2), each with a pair of Juniper firewalls(SRX 345) configured in Active/Standby HA clusters.

• Site-1 Active Firewall is connected directly to the Site-2 Active Firewall.

• Site-1 Standby Firewall is connected directly to the Site-2 Standby Firewall.

• Both HA pairs use interface monitoring for failover.

Observed Behavior:

• When a connectivity failure occurs between the Active Firewall and its local switch (e.g., link down at Site-1), the local HA pair correctly triggers a failover (Site-1 Standby becomes Active).

• However, the corresponding firewall at the remote site (e.g., Site-2) does not perform a failover in sync, and continues operating with the previously active unit.

Request:

Could anyone advise how to ensure that a failover at one site also triggers a synchronized failover at the other site, maintaining traffic flow consistency across both ends?

Any recommendations for best practices, configuration examples, or HA synchronization mechanisms would be greatly appreciated.

Hi Arun,

You have the answer to your own question in the details. Cluster Interface monitoring is just that... This will only trigger during a connectivity failure in the physical interfaces.

What you are looking for is IP Monitoring, which will allow you to monitor an endpoint for reachability and trigger a failover based on your configured weight.

Here is the article that addresses your needs in this situation...
https://www.juniper.net/documentation/us/en/software/junos/chassis-cluster-security-devices/topics/topic-map/security-chassis-cluster-ip-address-monitoring.html

Kind regards,

Gavin White

Hi Community,

Please find the attached image illustrating a sample high availability (HA) architecture using Juniper firewalls (SRX 345) across two sites.

Architecture Overview:

• Two sites (Site-1 and Site-2), each with a pair of Juniper firewalls(SRX 345) configured in Active/Standby HA clusters.

• Site-1 Active Firewall is connected directly to the Site-2 Active Firewall.

• Site-1 Standby Firewall is connected directly to the Site-2 Standby Firewall.

• Both HA pairs use interface monitoring for failover.

Observed Behavior:

• When a connectivity failure occurs between the Active Firewall and its local switch (e.g., link down at Site-1), the local HA pair correctly triggers a failover (Site-1 Standby becomes Active).

• However, the corresponding firewall at the remote site (e.g., Site-2) does not perform a failover in sync, and continues operating with the previously active unit.

Request:

Could anyone advise how to ensure that a failover at one site also triggers a synchronized failover at the other site, maintaining traffic flow consistency across both ends?

Any recommendations for best practices, configuration examples, or HA synchronization mechanisms would be greatly appreciated.

Dear Gavin,

Thank you for your response.

Yes, using IP monitoring does trigger failover. However, my goal is to initiate a failover in Site-1 based on a failover event in Site-2.

To achieve this, I planned to monitor the IP address of the Site-2 switch from the Site-1 firewall. However, the failover is not being triggered as expected on the Site-1 firewall.

Could you kindly advise the best path forward to accomplish this?

Hi Arun,

You have the answer to your own question in the details. Cluster Interface monitoring is just that... This will only trigger during a connectivity failure in the physical interfaces.

What you are looking for is IP Monitoring, which will allow you to monitor an endpoint for reachability and trigger a failover based on your configured weight.

Here is the article that addresses your needs in this situation...
https://www.juniper.net/documentation/us/en/software/junos/chassis-cluster-security-devices/topics/topic-map/security-chassis-cluster-ip-address-monitoring.html

Kind regards,

Gavin White

Hi Community,

Please find the attached image illustrating a sample high availability (HA) architecture using Juniper firewalls (SRX 345) across two sites.

Architecture Overview:

• Two sites (Site-1 and Site-2), each with a pair of Juniper firewalls(SRX 345) configured in Active/Standby HA clusters.

• Site-1 Active Firewall is connected directly to the Site-2 Active Firewall.

• Site-1 Standby Firewall is connected directly to the Site-2 Standby Firewall.

• Both HA pairs use interface monitoring for failover.

Observed Behavior:

• When a connectivity failure occurs between the Active Firewall and its local switch (e.g., link down at Site-1), the local HA pair correctly triggers a failover (Site-1 Standby becomes Active).

• However, the corresponding firewall at the remote site (e.g., Site-2) does not perform a failover in sync, and continues operating with the previously active unit.

Request:

Could anyone advise how to ensure that a failover at one site also triggers a synchronized failover at the other site, maintaining traffic flow consistency across both ends?

Any recommendations for best practices, configuration examples, or HA synchronization mechanisms would be greatly appreciated.