We are preparing to rollout MNHA on two SRX4600's, ours will be in routing mode but presumably switch mode will have the same basic requirements.
We saw the same thing initially, where the second unit was not showing the session. For the session replication to work as expected, the interfaces, zone names, etc have to be the same on both units. I.e. if on SRX1 you have et-0/0/0 == ZoneA and et-0/0/1 == Zone B, and on SRX2 you have et-0/0/0 == ZoneA and et-0/0/2 == Zone B, only Zone A will automagically replicate sessions. Pretty nifty tech, fingers crossed that production goes as well as our lab testing. -Eric On Mon, Aug 4, 2025 at 11:40 AM Aaron Gould via juniper-nsp < [email protected]> wrote: > I have (2) SRX2300 firewalls in the switching/default gateway MNHA > mode. Anyone know why I'm not seeing sessions synchronized to the > backup srx? I'm I correct that active/backup provides for session state > to be sent to backup for hitless failover? > > They both run current JTAC recommended 23.4R2-S5.5 > > They both have exact same interfaces for untrust, trust and ha-link zones > > Let me know if you need any more info from me to assist with tshoot. > > > root@srx01> show chassis high-availability information | grep > "status|group|state" > Node Status: ONLINE > Encrypted: NO Conn State: UP > Cold Sync Status: COMPLETE > Services Redundancy Group: 0 > Current State: ONLINE > Services Redundancy Group: 1 > Status: ACTIVE > Process Packet In Backup State: NO > Control Plane State: READY > Status : BACKUP > Health Status: HEALTHY > > > root@srx02> show chassis high-availability information | grep > "status|group|state" > Node Status: ONLINE > Encrypted: NO Conn State: UP > Cold Sync Status: COMPLETE > Services Redundancy Group: 0 > Current State: ONLINE > Services Redundancy Group: 1 > Status: BACKUP > Process Packet In Backup State: NO > Control Plane State: READY > Status : ACTIVE > Health Status: HEALTHY > > > > nothing seen on backup.... > > ============================================================== > > root@srx01> show security flow session destination-prefix 12.0.1.28 > > Session ID: 718626, Policy name: default-permit/5, HA State: Active, > Timeout: 1800, Session State: Valid > > In: 192.168.11.5/37862 --> 12.0.1.28/23;tcp, Conn Tag: 0x0, If: ae2.0, > Pkts: 123, Bytes: 5014, HA Wing State: Active, > > Out: 12.0.1.28/23 --> 123.123.123.226/9616;tcp, Conn Tag: 0x0, If: > ae1.0, Pkts: 112, Bytes: 10648, HA Wing State: Active, > > Total sessions: 1 > > ============================================================== > > root@srx02> show security flow session destination-prefix 12.0.1.28 > > Total sessions: 0 > > root@srx02> show security flow session session-state ? > > Possible completions: > > active-warm MNHA session with one active wing and one warm wing > > backup L2 HA backup session > > warm L3 HA warm session > > root@srx02> show security flow session session-state active-warm > > Total sessions: 0 > > root@srx02> show security flow session session-state backup > > Total sessions: 0 > > root@srx02> show security flow session session-state warm > > Total sessions: 0 > > > -- > -Aaron > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Eric Harrison Network Services Cascade Technology Alliance / Multnomah Education Service District office: 503-257-1554 cell: 971-998-6249 NOC 503-257-1510 _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
