06-17-2012 11:43 PM
Hi all and sorry to distrub you.
I deployed two SSG FW last week , use the Transparent mode and HA features with NSRP.but now it appears some serious problem.
The two box's e0/8 are configed to the v1-trust zone . e0/9 are configed to the v1-untrust zone , The Vlan1 IP is set as 192.168.170.10 on both two box.
The master box's manage IP is 192.168.170.11 , exactly the second IP or manage IP of the vlan1
The slave box's manage Ip is 192.168.170.12
The configuration is also very simple , just some few steps:
set interface e0/8 zone v1-trust
set interface e0/9 zone v1-untrust
set interface e0/7 zone HA
set interface vlan1 ip 192.168.170.10
set interface vlan1 manage-ip 192.168.170.11
set interface vlan1 ip manageable
set zone v1-untrust manage ping
set zone v1-trust manage web
set policy id 2 form v1-trust to v1-untrust any any any permit
set route 0.0.0.0/0 interface vlan1 gateway 192.168.170.1
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group id 0 piority 10
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 monitor interface e0/8
set nsrp vsd-group id 0 monitor interface e0/9
The same as the slave box
Now the problem is :
when NSRP is take effect , I can't manage the box master from trust zone , I can only open the web ui or telnet the slave box 192.168.170.12 , all 170.10/170.11/170.12 can ping,only 170.12 can login it .
but if I connect my PC and box directly , I can manage it .
BTW, the Auto-sync is failure.
So , this is my question ,,, and thanks in advance
the toplogy is in the attachment
06-18-2012 02:05 AM
Can you share the config of both the firewalls and also the 'get arp' of firewalls.
Is the problem only related to management of firewall? How about pass through traffic?
06-18-2012 02:14 AM
yeah thank you so much.
sorry about that i can't connect the box now , but the main config is show above
the slave box's config is same as master
and that i have cleared the arp table already
the data trasparent has no problem
the only problem is the management ,,,
if i can't connect the master appliance , i can't do the follow-up policies.
thanks a lot !
06-18-2012 07:08 AM
The following basic things can be checked:
1. enable management on zone
2. enable management on interface.
3. make sure that you are reaching the interface on v1-trust zone.
4. check arp entries
5. check if NSRP is properly configured
6. check if after failover, the managemtn works.
If none of the above works then I am afraid we need more details from firewall.