Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  NSRP cluster is out of sync

    Posted 12-16-2014 13:08

    I have two SSG 550 firewalls configured to be in NSRP cluster.

     

    Now they became out of sync, i.e.  'exec nsrp sync global-config check-sum' reports 'configuration out of sync'.

     

    I've manually compared configs - there are a lot of changes between them including polices, services, etc.

     

    So to sync configs I did:

     

    'exec nsrp sync global save'

     

    But after reboot config remained the same, i.e it didn't sync it from primary node.

     

    'get nsrp' command shows that both node are available and HA interfaces are up.

     

    What can be the issue here?

     

    Thanks,

    Best regards,

    Roman



  • 2.  RE: NSRP cluster is out of sync

    Posted 12-16-2014 14:06

    What version of code?  Also, what is different between the configs after trying to sync them?  Did you receive a message to reboot the device?



  • 3.  RE: NSRP cluster is out of sync

    Posted 12-16-2014 16:12

    FW02(M)-> get system version
    Encoding: 1
    Version: 6.3.0.1.0.0.0.0
    DM Version: 1

     

    Difference is the same as before trying to sync.

     

    Yes, I did recieve promtp to reboot system. And I did reset after it.



  • 4.  RE: NSRP cluster is out of sync

    Posted 12-16-2014 17:35

    I have seen sync issues due to licenses.  Can you provide the output of the following commands from both devices

    get system

    get license



  • 5.  RE: NSRP cluster is out of sync

    Posted 12-17-2014 07:20

    The thing is that there were no problems before.

     

    FW02(M)-> get system
    Product Name: SSG-550M
    Serial Number: <serial number>, Control Number: 00000000
    Hardware Version: REV 12(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
    Software Version: 6.3.0r11.0, Type: Firewall+VPN
    Feature: AV-K
    BOOT Loader Version: 1.0.7
    Compiled by build_master at: Wed Mar 28 22:01:24 PDT 2012
    Base Mac: <mac address>
    File Name: screenos_image, Checksum: 90fd1c02
    , Total Memory: 1024MB

    Date 12/17/2014 10:15:57, Daylight Saving Time enabled
    The Network Time Protocol is Enabled
    Up 169 hours 28 minutes 13 seconds Since 10Dec2014:08:47:44
    Total Device Resets: 1, Last Device Reset at: 11/29/2011 06:02:09

    System in NAT/route mode.

     

     

    FW02(M)-> get license
    Model: Advanced
    Sessions: 256064 sessions
    Capacity: unlimited number of users
    NSRP: ActiveActive
    VPN tunnels: 2048 tunnels
    Vsys: None
    Vrouters: 16 virtual routers
    Zones: 60 zones
    VLANs: 150 vlans
    Drp: Enable
    Deep Inspection: Enable
    Deep Inspection Database Expire Date: Disable
    Signature pack: Signature update key is missing
    IDP: Disable
    AV: Disable(0)
    Anti-Spam: Disable(0)
    Url Filtering: Disable



  • 6.  RE: NSRP cluster is out of sync

    Posted 12-17-2014 09:32

    I would recommend opening a JTAC case for this.  It looks like it might be more complex and require additional debugs than what can be provided here.



  • 7.  RE: NSRP cluster is out of sync

    Posted 12-19-2014 18:54

    You can step through these tests for config sync in NSRP from kb9817.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB9817



  • 8.  RE: NSRP cluster is out of sync
    Best Answer

    Posted 12-22-2014 07:21

    I've updated ScreenOS to version 6.3.0r18.0 (reason for update was different) and now configs are in sync.