• September 24, 2018, 02:21:41 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Juniper Firewall SSG-520 NSRP Sync Issue  (Read 6743 times)

0 Members and 1 Guest are viewing this topic.

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 953
Juniper Firewall SSG-520 NSRP Sync Issue
« on: March 07, 2011, 03:08:32 PM »
Hi,

Our Juniper SSG-520 firewall pair were generating critical alarms that they were out of sync configuration wise via NSRP.  NSRP (Netscreen redundancy protocol) provides high availability similar to VRRP.

I turned off NSRP and tried to manually configure the backup Juniper firewall, but it wasn’t playing ball, so rather than erase the configuration and start again I found another method via NSRP. 

To resolve the NSRP sync issue I ran the following commands on the backup Juniper firewall:

Exec nsrp sync global-config check-sum – Confirms if firewalls are unsynchronised.

Exec nsrp sync global-config save (Followed by a reboot) – Resynchronises configuration.

After the reboot the configurations were identical except for some of the policy security rules which were in the wrong order on the backup Juniper firewall.

CheerZ


Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3838
    • michaelfmcnamara
    • Michael McNamara
Re: Juniper Firewall SSG-520 NSRP Sync Issue
« Reply #1 on: March 08, 2011, 07:31:40 AM »
I've never heard of NSRP until today... thanks for sharing!
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!

Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 953
Re: Juniper Firewall SSG-520 NSRP Sync Issue
« Reply #2 on: March 09, 2011, 11:15:46 AM »

NSRP is a little bit different than VRRP as you only configure the one IP address per interface (Which acts as the physical and virtual IP) and the big difference is that the configuration is also synchronised.  The failover is very similar to VRRP and preempt is also an option.  Note - For NSRP to function, you must cable the Juniper firewalls together in a 'full-mesh configuration'.

CheerZ