ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Big_Vi
Posts: 14
Registered: ‎04-08-2009
0
Accepted Solution

OSPF external 1 (E1) and external 2 (E2) are no more propagated after a failover

[ Edited ]

Hi Community,

 

I've setup a firewall cluster with the following caracteristics:

  • ScreenOS 6.1r5
  • cluster in Active/Passive NSRP mode with route synch
  • All interface are in the same OSPF area
  • In receive OSPF external type 1& 2 (E1, E2) route + intra area route (O)
  • Initially Master firewall know all route O,E1,E2
  • Initially Backup firewallknow all route (backup) Ob, E1b, E2b


Now the problem

1. Master firewall failover to backup firewall (because of a router reboot)

2. Backup Firewall come master, used backup route until it learn istelf all route (as expected)

3. The old master is now backup. it will never learn again the OSPF external route (E1,E2), but "O" route a correctely learned

 

 Have I missed something into my configuration?

 

Thank you in advance for your help

 

Vince

 

 

Message Edited by Big_Vi on 07-27-2009 06:21 AM
Super Contributor
Cesar
Posts: 141
Registered: ‎11-18-2008

Re: OSPF external 1 (E1) and external 2 (E2) are no more propagated after a failover

Did you have below commands in both firewalls?

set nsrp rto-mirror sync
set nsrp rto-mirror route

 

I think you are hitting a known issue, "Backup NSRP firewall loses synced OSPF routes".

 

This is planned to be fixed in 6.10r7 but you can also open a case to provide a patch if needed. 

 

Thanks,

Cesar

Contributor
Big_Vi
Posts: 14
Registered: ‎04-08-2009
0

Re: OSPF external 1 (E1) and external 2 (E2) are no more propagated after a failover

[ Edited ]

Hi Cesar,

 

Thank you for your answer.

 

In fact the "set nsrp rto-mirror route" resync all route from the Master firewall. I d'ont find the KB or isse than you speak about : "Backup NSRP firewall loses synced OSPF routes".

 

I just found the this : http://kb.juniper.net/index?page=content&id=KB9885&actp=search&searchid=1248853180800 , but I don't use the untrust-vr.

 

Can you provide me a link ?

 

Regards,

 

Vince 

Message Edited by Big_Vi on 07-29-2009 12:49 AM
Contributor
Big_Vi
Posts: 14
Registered: ‎04-08-2009
0

Re: OSPF external 1 (E1) and external 2 (E2) are no more propagated after a failover

 

Hi Cesar,

 

You were totally right. I've opened I case and JTAC provide me a patch.

 

Thank you very much.

 

 

For poeple with the same issue: open a case with the known issue "438794" " NSRP Backup firewall loses sync'ed OSPF routes" to obtain the needed patch.

 

Best regards,

 

Vince

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.