ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Big_Vi
Contributor
Big_Vi
Posts: 14
Registered: ‎04-08-2009
0
Accepted Solution

OSPF external 1 (E1) and external 2 (E2) are no more propagated after a failover

[ Edited ]
Options

‎07-27-2009 06:19 AM - edited ‎07-27-2009 06:21 AM

Hi Community,

 

I've setup a firewall cluster with the following caracteristics:

  • ScreenOS 6.1r5
  • cluster in Active/Passive NSRP mode with route synch
  • All interface are in the same OSPF area
  • In receive OSPF external type 1& 2 (E1, E2) route + intra area route (O)
  • Initially Master firewall know all route O,E1,E2
  • Initially Backup firewallknow all route (backup) Ob, E1b, E2b


Now the problem

1. Master firewall failover to backup firewall (because of a router reboot)

2. Backup Firewall come master, used backup route until it learn istelf all route (as expected)

3. The old master is now backup. it will never learn again the OSPF external route (E1,E2), but "O" route a correctely learned

 

 Have I missed something into my configuration?

 

Thank you in advance for your help

 

Vince

 

 

Message Edited by Big_Vi on 07-27-2009 06:21 AM
Message 1 of 4 (7,733 Views)
 
Reply
Super Contributor
Super Contributor
Cesar
Posts: 141
Registered: ‎11-18-2008

Re: OSPF external 1 (E1) and external 2 (E2) are no more propagated after a failover

Options

‎07-28-2009 11:13 AM

Did you have below commands in both firewalls?

set nsrp rto-mirror sync
set nsrp rto-mirror route

 

I think you are hitting a known issue, "Backup NSRP firewall loses synced OSPF routes".

 

This is planned to be fixed in 6.10r7 but you can also open a case to provide a patch if needed. 

 

Thanks,

Cesar

Message 2 of 4 (7,710 Views)
 
Reply
Big_Vi
Contributor
Big_Vi
Posts: 14
Registered: ‎04-08-2009
0

Re: OSPF external 1 (E1) and external 2 (E2) are no more propagated after a failover

[ Edited ]
Options

‎07-29-2009 12:46 AM - edited ‎07-29-2009 12:49 AM

Hi Cesar,

 

Thank you for your answer.

 

In fact the "set nsrp rto-mirror route" resync all route from the Master firewall. I d'ont find the KB or isse than you speak about : "Backup NSRP firewall loses synced OSPF routes".

 

I just found the this : http://kb.juniper.net/index?page=content&id=KB9885&actp=search&searchid=1248853180800 , but I don't use the untrust-vr.

 

Can you provide me a link ?

 

Regards,

 

Vince 

Message Edited by Big_Vi on 07-29-2009 12:49 AM
Message 3 of 4 (7,702 Views)
 
Reply
Big_Vi
Contributor
Big_Vi
Posts: 14
Registered: ‎04-08-2009
0

Re: OSPF external 1 (E1) and external 2 (E2) are no more propagated after a failover

Options

‎07-29-2009 05:02 AM

 

Hi Cesar,

 

You were totally right. I've opened I case and JTAC provide me a patch.

 

Thank you very much.

 

 

For poeple with the same issue: open a case with the known issue "438794" " NSRP Backup firewall loses sync'ed OSPF routes" to obtain the needed patch.

 

Best regards,

 

Vince

Message 4 of 4 (7,696 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.