When configured in NAT mode, an MX security appliance is commonly used as a network gateway, performing inter-VLAN routing and handling traffic bound for the Internet. To achieve redundancy, a secondary MX can be added to Dashboard as a warm spare, allowing it to share the primary MX's configuration and seamlessly take over in the event of a device failure. This configuration is commonly referred to as High Availability NAT (NAT HA).
This article outlines common troubleshooting steps and best practices for NAT HA configurations.
Note: For more information about NAT HA, including configuration steps and use cases, please refer to our documentation.
When configuring NAT HA, it is critical that both MXes have a reliable connection to each other on the LAN, so the Primary MX's VRRP heartbeats can be seen reliably by the Spare. To ensure this connection is reliable:
Additionally, the following other considerations should be kept in mind:
Note: The secondary MX must be the same MX model as the primary. Warm spare functionality is not supported between different MX models (e.g. MX80 & MX100).
If there is a problem with the NAT HA configuration, there may be various symptoms that will affect the network, and it may not be obvious that the root cause is NAT HA. This section outlines what issues with HA typically look like, as well as recommended troubleshooting steps.
The most common sign of a problem with NAT HA is a Dual Master scenario, where both the Primary and Spare MX report in Dashboard as being Active (master). This can be observed in Dashboard under Security appliance > Monitor > Appliance status, and comparing the current state of each appliance.
This will occur if the Primary MX is online and sending heartbeats that aren't seen by the Spare, resulting in the Spare thinking that the Primary is down. This is usually the result of having a non-direct connection between the two MXes, which can cause problems with the VRRP heartbeats reliably reaching the spare.
If both the Primary and Spare are in the master state, this will cause various issues with the network, affecting DHCP, routing, VPN, etc.
If network issues are occurring that appear to be related to NAT HA, the following troubleshooting steps should be taken to identify the root cause: