Junos OS

This message was posted by a user wishing to remain anonymous

Hi Community,

Please find the attached image illustrating a sample high availability (HA) architecture using Juniper firewalls(SRX 345) across two sites.

Architecture Overview:

• Two sites (Site-1 and Site-2), each with a pair of Juniper firewalls (SRX 345) configured in Active/Standby HA clusters.

• Site-1 Active Firewall is connected directly to the Site-2 Active Firewall.

• Site-1 Standby Firewall is connected directly to the Site-2 Standby Firewall.

• Both HA pairs use interface monitoring for failover.

Observed Behavior:

• When a connectivity failure occurs between the Active Firewall and its local switch (e.g., link down at Site-1), the local HA pair correctly triggers a failover (Site-1 Standby becomes Active).

• However, the corresponding firewall at the remote site (e.g., Site-2) does not perform a failover in sync, and continues operating with the previously active unit.

Request:

Could anyone advise how to ensure that a failover at one site also triggers a synchronized failover at the other site, maintaining traffic flow consistency across both ends?

Any recommendations for best practices, configuration examples, or HA synchronization mechanisms would be greatly appreciated.

-------------------------------------------

Honestly, this design could be better. Firewalls at one end should not have a failover in concert with firewall at the other end

Will your firewalls support MNHA ? presume not as these are low end. 

Are the site-to-site links Layer 2 ?

typically, some switching on the outside will help you, try to create  a "outside" VLAN on the switches you already have 

------------------------------
JNCIE-ENT 907
------------------------------

Original Message:
Sent: 09-18-2025 14:06
From: Anonymous
Subject: Juniper SRX Cluster Firewall Failover

This message was posted by a user wishing to remain anonymous

Hi Community,

Please find the attached image illustrating a sample high availability (HA) architecture using Juniper firewalls(SRX 345) across two sites.

Architecture Overview:

• Two sites (Site-1 and Site-2), each with a pair of Juniper firewalls (SRX 345) configured in Active/Standby HA clusters.

• Site-1 Active Firewall is connected directly to the Site-2 Active Firewall.

• Site-1 Standby Firewall is connected directly to the Site-2 Standby Firewall.

• Both HA pairs use interface monitoring for failover.

Observed Behavior:

• When a connectivity failure occurs between the Active Firewall and its local switch (e.g., link down at Site-1), the local HA pair correctly triggers a failover (Site-1 Standby becomes Active).

• However, the corresponding firewall at the remote site (e.g., Site-2) does not perform a failover in sync, and continues operating with the previously active unit.

Request:

Could anyone advise how to ensure that a failover at one site also triggers a synchronized failover at the other site, maintaining traffic flow consistency across both ends?

Any recommendations for best practices, configuration examples, or HA synchronization mechanisms would be greatly appreciated.

-------------------------------------------