Friday, 9 November 2012

High Availability - SRX Active/Active Configuration

In this post I will configure two SRX240s in an Active/Active chassis cluster. This exercise will build on the configuration and concepts from the previous post High Availability - SRX Active/Passive Configuration.

The diagram below outlines the physical connections. This exercise assumes the specific firewall rules are configured for needed access between nodes. Also this exercise will contain configuration from the previous post (such as enabling the chassis cluster, previous interfaces and redundancy groups etc.).

The diagram below outlines the logical configuration. Two redundancy groups will be used for the data plane in order to have both SRX units participate in forwarding traffic.

Active/Active Configuration

1. Existing Configuration Recap
As mentioned earlier please reference the earlier post High Availability - SRX Active/Passive Configuration if you have not already. This exercise and configuration builds off of the configuration done in this post.

2. Configure Additional Redundancy Group
In this step an additional redundancy group (redundancy group 2) is created. The node priorities are updated so that node0 will be primary for redundancy group 2 and node1 will be primary for redundancy group 1. See the screenshot below for command details.

3. Configure Additional RETH Interfaces
Additional RETH interfaces are needed for the additional networks that we will be configuring. The RETH count will also need to be updated to reflect the additional two RETH interfaces added. As was done in the previous post, IP addresses are also assigned to the RETH interfaces. See the screenshot below for command details.

4. Configure Interface Monitoring for Redundancy Group 2
Interface monitoring is configured in the same fashion as it is for redundancy group 1. Any single interface failure will result in the associated nodes priority changing to 0 resulting in a failover. See the screenshot below for command details.

Verification & Testing

1. Verify Chassis Cluster
The following commands can be used to verify chassis cluster operation and current state.

The command 'show chassis cluster status' can be used to view the cluster status. We can confirm that node0 is primary for redundancy group 2 and node1 is primary for redundancy group 1.

The command 'show chassis cluster interfaces' can be used to view the status of monitored interfaces.

2. Test Failover - Interface Monitoring
Testing failover would be the same as the steps completed in the previous post with the addition of a new redundancy group. Please reference High Availability - SRX Active/Passive Configuration for details.

Traffic Flow
In an active/passive design traffic flow is very deterministic. All data traffic flows through the active SRX regardless of what the source and destination networks are. This is not the case in an active/active design. In an active/active design traffic may flow through a single SRX or from one SRX to another via the fabric link. The following traffic examples outline two examples, one traffic flow through a single SRX and another traffic flow through both SRX devices.

1. Flow Within a Single SRX Device
The following diagram depicts a traffic flow in red. In this example the traffic source is and the traffic destination is In this example traffic only flows through SRX-A as SRX-A is primary for Redundancy Group 2 and RETH2 and RETH3 are members of this Redundancy Group.

2. Flow Traversing both SRX Device
The following diagram depicts a different traffic flow in red. In this example the traffic source is and the traffic destination is In this example traffic flows through SRX-B and SRX-A as RETH0 and RETH3 are members of different Redundancy Groups and each SRX is primary for one of the Redundancy Groups. When traffic flows from one SRX to another the fabric link is used.


The following graphic builds on the previous post's conceptual diagram adding the new elements for the Active/Active configuration.

Since both SRX units cannot both be active for a single network segment or RETH interface a better term of describing the Active/Active configuration on an SRX (in my opinion) would be 'load sharing' configuration. In the next post I will be configuring a HA Cluster utilizing link aggregation and dual fabric links.


  1. Hi Stefan,
    I tried to do that and it worked fine. I want to ask you something, In this scenario, Am I available to do load balancing automatically? Let me explain you more about this, I have two vlans: vlan-99 and vlan-100 on trust security zone. I have two ISP connections on untrust. Can I configure the vlan-99 goes through FW-A and vlan-100 goes through FW-B? If so, help me or share any example. In advace, thank so much.
    Romer Medrano, from Bolivia.
    Take care.

  2. Hi Romer,

    This is a good question as this blog post doesn't really focus on Internet traffic (more HA and reachability between locally connected subnets).

    It all comes down to routing when thinking about what path an internal subnet would take to get to the internet. This is the same if the ISP connections are using RETH interfaces (as in this post) or if they are directly attacked to one SRX (this is commonly referred to as Mixed Mode HA).

    Using the topology in this post I could simply make ISP1 or ISP2 active by configuring a default route. I could also use the second ISP as a backup by configuring an additional default route with the statement ‘qualified-next-hop’ so that I could ensure it was only used if the primary ISP/default route was available.

    To do something like you are asking we would need to take it a step further and use Filter Based Forwarding with multiple routing instances. In this configuration you would create an additional routing-instance. Then you could specify ISP1 as the default route for routing-instance1 and ISP2 could be the default route for ISP2. Firewall filters can then be configured on the LAN side interfaces to route traffic by one routing-instance or the other based on source-ip (vlan). I have done this configuration and it works well. You can also use qualified-next-hop on both routing instances so that if one ISP fails all traffic will use the other.
    I would suggest googling something like ‘filter based forwarding + dual isp’ as I know this is a somewhat documented design option. I can do a blog write up on this topic if you wish as I think it is a common request.

    Hopefully this helps,

  3. Can this setup (or the Active/Passive one) do single-armed firewall? E.g. instead of creating separate reth2 and reth0, the 192.168 IP addresses would be configured on VLANs on reth1/reth3, with other VLANs for 100.100.100 and 200.200.200 IPs.

    1. Hi,
      You could configure multiple VLANs on a RETH using sub-interfaces. This would allow you to to have multiple VLANs use a single link. For the HA options above you could use a single RETH and have all of the VLANs configured as sub interfaces. This would allow each SRX to only require one connection.

      Does that answer your question?