ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Demos.Hu
Posts: 3
Registered: ‎06-17-2012
0

Problem with SSG transparent deploy

  Hi all and sorry to distrub you.

  I deployed two SSG FW last week , use the Transparent mode and HA features with NSRP.but now it appears some serious problem.

  The two box's e0/8  are configed to the v1-trust zone . e0/9 are configed to the v1-untrust zone , The Vlan1 IP is set as 192.168.170.10 on both two box.

  The master box's manage IP is 192.168.170.11 , exactly the second IP or manage IP of the vlan1 

  The slave box's manage Ip is 192.168.170.12 

  

  The configuration is also very simple , just some few steps:

  set interface e0/8 zone v1-trust

  set interface e0/9 zone v1-untrust 

  set interface e0/7 zone HA

  set interface vlan1 ip 192.168.170.10

  set interface vlan1 manage-ip 192.168.170.11

  set interface vlan1 ip manageable

  set zone v1-untrust manage ping

  set zone v1-trust manage web

  set policy id 2 form v1-trust to v1-untrust any any any permit

  set route 0.0.0.0/0 interface vlan1 gateway 192.168.170.1

  set nsrp cluster id 1

  set nsrp rto-mirror sync

  set nsrp vsd-group id 0 piority 10

  set nsrp vsd-group id 0 preempt

  set nsrp vsd-group id 0 monitor interface e0/8

  set nsrp vsd-group id 0 monitor interface e0/9

 

The same as the slave box

Now the problem is :

  when NSRP is take effect ,  I can't manage the box master  from trust zone , I can only open the web ui or telnet the slave box 192.168.170.12 , all 170.10/170.11/170.12 can ping,only 170.12 can login it .

  but if I connect my PC and box directly , I can manage it .

 

  BTW, the Auto-sync is failure.

 

  So , this is my question ,,,  and thanks in advance

 

the toplogy is in the attachment

 

Recognized Expert
Sahota
Posts: 484
Registered: ‎03-15-2012
0

Re: Problem with SSG transparent deploy

Hi,

Can you share the config of both the firewalls and also the 'get arp' of firewalls.
Is the problem only related to management of firewall? How about pass through traffic?

Thanks.
Hardeep

Visitor
Demos.Hu
Posts: 3
Registered: ‎06-17-2012
0

Re: Problem with SSG transparent deploy

yeah  thank you so much.

sorry about that i can't connect the box now , but the main config is show above

the slave box's config is same as master

and that i have cleared the arp table already

the data trasparent has no problem 

the only problem is the management ,,,

if i can't connect the master appliance , i can't do the follow-up policies.:smileysad:

 

thanks a lot !

Recognized Expert
Sahota
Posts: 484
Registered: ‎03-15-2012
0

Re: Problem with SSG transparent deploy

Hi,

The following basic things can be checked:
1. enable management on zone
2. enable management on interface.
3. make sure that you are reaching the interface on v1-trust zone.
4. check arp entries
5. check if NSRP is properly configured
6. check if after failover, the managemtn works.

If none of the above works then I am afraid we need more details from firewall.


Thanks.
Hardeep

Visitor
Demos.Hu
Posts: 3
Registered: ‎06-17-2012
0

Re: Problem with SSG transparent deploy

Thank you very much

I have solved the problem follow you suggestion steps ,,,

Thanks again :smileyvery-happy:

Recognized Expert
Sahota
Posts: 484
Registered: ‎03-15-2012
0

Re: Problem with SSG transparent deploy

Hi,

 

Good to know that it is fixed.

Can you please mark this thread as resolved so that others can also benefit from it.

 

Regards.

Hardeep

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.