SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX Active\Active

    Posted 10-02-2008 20:43

    Do the new SRX platforms support active\active HA mode similar to the current ScreenOS or will this be on the road map? If on the road map, any speculation as to when? I would also like to know if true session synchronization will occur and allow asynchronous routing & session propagation. Thank you.



  • 2.  RE: SRX Active\Active

    Posted 10-03-2008 16:05

    Active/Active is on the roadmap. But for first release it is not supported yet. It should be supported in the near future though.

     

    Incidentally JSRP is pretty much A/A all the time as a cluster of two physical devices is treated as one logical device. JSRP uses Hobson-style box clustering which means both boxes are active at the same time. Conceptually it is quite different than ScreenOS NSRP. 

     

    -Richard



  • 3.  RE: SRX Active\Active

    Posted 10-07-2008 07:06

    rkim,

     

    Thanks for the clarification. I guess what I'm looking for specifically is regarding the session sync between the two physical devices. I want to make sure that when the SRX platform experiences asymmetric routing the packets will still be permitted through some mechanism. 

     

    At the current time, and on ScreenOS  6.1.0r1b.0, when two HA devices see a packet go out one firewall and return through another, the device that recieves the packet recognises that the first firewall owns the VSD that created the initial session and sends the packet across accordingly. The problem is that the traffic never makes it across the HA data link. This is the solution that I'd like to see work either in ScreenOS or in JUNOS-ES, or perhaps even both albeit a lofty request.



  • 4.  RE: SRX Active\Active

    Posted 10-07-2008 23:24

    Actually JSRP (the JUNOS version of NSRP) does support the ability for traffic ingressing one box and destined for an interface on the peer device. It currently works on J-Series running JUNOS with Enhanced Services. But that functionality is not yet available on SRX. But as I mentioned before, it is on the roadmap.

     

    A note about assymetric routing. Typically this is not a good thing for a security device. The reason is that when a session is created it takes into account the ingress and egress interface in addition to source/dest IP/port. So if the traffic is assymetric then it would not match an existing session. This can cause problems particularly with TCP traffic. The reason is because TCP syn checking is enabled by default and can deny SYN/ACK packets since it won't match the existing session. Therefore if you do have assymetric routing the return traffic would generate a new session and TCP syn-check would need to be disabled. That is usually not best practice from security point of view.

     

    -Richard



  • 5.  RE: SRX Active\Active
    Best Answer

    Posted 05-17-2009 04:43

    Active/Active for SRX (SRX 3400, SRX 3600, SRX 5600, and SRX 5800 devices) is now supported (JunOS 9.5)

     

    See this link for more info:

    http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-collections/release-notes/9.5/srx-series-new-features.html#rn-junos-srx-new-features


    #HA
    #SRX


  • 6.  RE: SRX Active\Active

    Posted 05-27-2009 08:22

    gr33ndata,

     

    Thank you for the information!



  • 7.  RE: SRX Active\Active

    Posted 06-10-2009 18:34
    do you guys have any technical documentation for active/active configuration?


  • 8.  RE: SRX Active\Active

    Posted 07-28-2009 11:40

    FYI, from what I have seen thus far Active/Active on the SRX's (JSRP) is significantly different from Active/Active on the Netscreens (NSRP).

     

    No matter how you configure HA with JSRP only 1 routing instance will be active at any time and it controls the forwarding on both cluster members.  The '/Active' part of JSRP seems to refer only to the fact that data packets can traverse the passive RG0 cluster member whose forwarding-table is built by the active RG0 cluster member.

     

    From the NSRP world I had always thought of Active/Active as two (or more) highly available routing instances running on the cluster, one on each cluster member in the normal state.  From this perspective 'Active/Active' in JSRP is more like an extended chassis than Active/Active from the NSRP world.



  • 9.  RE: SRX Active\Active

    Posted 08-06-2012 21:14

    Anyone got any kb or doc links to share on this?

     

    On Page 41, here's the link:

    http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/SRX%20High%20Availability%20Deployment%20Guide.pdf