Screen OS

Hi,

In SSG 550 (6.2.0R1) acive/passive scenerio, the manage ip of passive firewall is not reachable from master firewall as well as other subnets. my guess is passive firewall interfaces are in Inactive state,thats why it doesnt communicate. but how can i manage the passive box?

please assist..

Here are the troubleshooting guides for management of nsrp clusters.  Follow down the list to the specific circumstances of your issue.  then there is a link to a kb article for each possible problem that walks you through the configuration adjustements needed.

Flow chart version:

http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_kb11363.htm

Question/Answer version:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11363

Reference:

Here is the master troubleshooting guide for nsrp

http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_NSRP_resolution_guide.htm

Excellent Steve,

Best KBs...

Hi there,

I'm new to Junipar netscreen and I am facing the same issue in my company we are running NSRP and I can only bring up the web interface of my master firewall, ssh works for both.

I have checked everything from this KB and it's all OK http://kb.juniper.net/InfoCenter/index?page=content&id=KB11363 

What's else can I check? where do I get any logs regarding NSRP or management IP from? get log xxxx ?

Thanks for taking the time to read. any help would be very appreciated.

Cheers,

Fabio

Hi Fabio,

Both interfaces on the cluster members should have unique management IPs, different from the NSRP address and each other. The management IPs are not replicated between the cluster members and have unique physical MAC addresses while NSRP IP is mapped to a virtual MAC address.

If you can reach both devices using ssh, everything is correctly configured. The web interface should also work.

I may assume that both cluster members are not in sync. Check it using "exec nsrp sync global-config check-sum".

The interfaces on the backup device are normally in the status "down" (logically). You can change this by issuing  the command "set nsrp link-up-on-backup". The interfaces get status "Inactive". But interfaces that do not have specific management IPs, different from the NSRP IP and each other, stay in status "Down". Inactive interfaces can  send icmp requests from the mgmt ip if ip tracking is configured and also negotiate VPN SAs.

You can ping mgmt IP of the master from the backup device but not vice-versa. If a ping request is sent from the master member, it has the NSRP IP address as it's source. The backup member does not accept such a packet. I suppose this is per design so.

There is a limitation in using ping on the backup member: "ping <IP>" works but "ping <IP>  from ethx/y" does not. The error message "Interface ethernetx/y is inactive or down" is generated instead.

I do recommend to use MGT zone for the inhouse clusters and map it to a dedicated VR. Each MGT interface uses a single IP, both for addressing and the management, they are always "Up" and can reach each other without any limitations.

Use "get log self" to check the connections terminated on the FW interfaces. Issue "get firewall" to see what is logged. The output may look this way:

Log Self for IKE :                     Off
Log Self for SNMP:                     Off
Log Self for ICMP:                     Off
Log Self Deny:                         On
    Log Self Deny exclude Multicast:   On
Log Self for TELNET :                  Off
Log Self for SSH :                     Off
Log Self for WEB :                     Off
Log Self for NSM :                     Off

And, finally, use "debug flow basic" if the log records are not very informative.

Hi Edouard,

Thank you very much for your help. Your post was very helpful!

When I ran "exec nsrp sync global-config check-sum" the system prompt a warning message saying that NSRP is out of syncronization.

Further to that I can ping my master Mgmt IP from itself and from my backup fw. However from my backup fw I cannot even ping its own Mgmt IP, Does this sound strange to you? Or maybe thats because the logical status is always down as you were telling me...

"get log self"doesn't show anything. My firewall logging settings has the same settings, logging only:

    Log Self Deny exclude Multicast:   On

Log Self Deny:                         On

I need to do some investigation to find out if the NSRP sync problem is related to the mgmt IP of my backup fw.

I have attached a file with the details about my mgmt interface just in case.

Thanks again,

Fabio

Attachment(s)

netscreen mgmt int.pdf   20 KB 1 version

Hi Fabio,

If both configs are not in sync you should connect to the backup member and issue "exec nsrp sync global-config save". The backup member will synchronize the config from the peer (Master). You should reboot the Backup after that.

You see nothing in the self-log because all (nearly all) logging options are "off" per default. Use "set firewall log-self web" to enable logging for the GUI management sessions.

The backup member cannot really ping it's mgmt IPs. I do not know reasons why it is impossible. But anyway, I do not consider this as a drawback and use the command "get arp" to check the member connectivity.

It's very unlikely that the cluster member are not in sync because of a mgmt IP problem. Mgmt IPs are not synchronised.

You should sync your cluster manually and re-check it after a couple of days. There are bugs in several ScreenOS releases that may incorrectly change or display the NSRP status. There were, eg, releases that changed the sync status because of the active ntp sync between the cluster members (default setting). I always use "set ntp no-ha-sync", also with the latest releases.