Juniper Firewall SSG-520 NSRP Sync Issue

[Flintstone]

Hi,

Our Juniper SSG-520 firewall pair were generating critical alarms that they were out of sync configuration wise via NSRP.  NSRP (Netscreen redundancy protocol) provides high availability similar to VRRP.

I turned off NSRP and tried to manually configure the backup Juniper firewall, but it wasn’t playing ball, so rather than erase the configuration and start again I found another method via NSRP. 

To resolve the NSRP sync issue I ran the following commands on the backup Juniper firewall:

Exec nsrp sync global-config check-sum – Confirms if firewalls are unsynchronised.

Exec nsrp sync global-config save (Followed by a reboot) – Resynchronises configuration.

After the reboot the configurations were identical except for some of the policy security rules which were in the wrong order on the backup Juniper firewall.

CheerZ

[Michael McNamara]

I've never heard of NSRP until today... thanks for sharing!

[Flintstone]

NSRP is a little bit different than VRRP as you only configure the one IP address per interface (Which acts as the physical and virtual IP) and the big difference is that the configuration is also synchronised.  The failover is very similar to VRRP and preempt is also an option.  Note - For NSRP to function, you must cable the Juniper firewalls together in a 'full-mesh configuration'.

CheerZ