Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Do the new SRX platforms support active\active HA mode similar to the current ScreenOS or will this be on the road map? If on the road map, any speculation as to when? I would also like to know if true session synchronization will occur and allow asynchronous routing & session propagation. Thank you.
Active/Active is on the roadmap. But for first release it is not supported yet. It should be supported in the near future though.
Incidentally JSRP is pretty much A/A all the time as a cluster of two physical devices is treated as one logical device. JSRP uses Hobson-style box clustering which means both boxes are active at the same time. Conceptually it is quite different than ScreenOS NSRP.
Thanks for the clarification. I guess what I'm looking for specifically is regarding the session sync between the two physical devices. I want to make sure that when the SRX platform experiences asymmetric routing the packets will still be permitted through some mechanism.
At the current time, and on ScreenOS 6.1.0r1b.0, when two HA devices see a packet go out one firewall and return through another, the device that recieves the packet recognises that the first firewall owns the VSD that created the initial session and sends the packet across accordingly. The problem is that the traffic never makes it across the HA data link. This is the solution that I'd like to see work either in ScreenOS or in JUNOS-ES, or perhaps even both albeit a lofty request.
Actually JSRP (the JUNOS version of NSRP) does support the ability for traffic ingressing one box and destined for an interface on the peer device. It currently works on J-Series running JUNOS with Enhanced Services. But that functionality is not yet available on SRX. But as I mentioned before, it is on the roadmap.
A note about assymetric routing. Typically this is not a good thing for a security device. The reason is that when a session is created it takes into account the ingress and egress interface in addition to source/dest IP/port. So if the traffic is assymetric then it would not match an existing session. This can cause problems particularly with TCP traffic. The reason is because TCP syn checking is enabled by default and can deny SYN/ACK packets since it won't match the existing session. Therefore if you do have assymetric routing the return traffic would generate a new session and TCP syn-check would need to be disabled. That is usually not best practice from security point of view.
Active/Active for SRX (SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices) is now supported (JunOS 9.5)
See this link for more info:
Thank you for the information!
FYI, from what I have seen thus far Active/Active on the SRX's (JSRP) is significantly different from Active/Active on the Netscreens (NSRP).
No matter how you configure HA with JSRP only 1 routing instance will be active at any time and it controls the forwarding on both cluster members. The '/Active' part of JSRP seems to refer only to the fact that data packets can traverse the passive RG0 cluster member whose forwarding-table is built by the active RG0 cluster member.
From the NSRP world I had always thought of Active/Active as two (or more) highly available routing instances running on the cluster, one on each cluster member in the normal state. From this perspective 'Active/Active' in JSRP is more like an extended chassis than Active/Active from the NSRP world.
Anyone got any kb or doc links to share on this?
On Page 41, here's the link: