Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Procedure Replacing faulty SSG member on Active/Active cluster?

    Posted 05-27-2015 01:39

    Hi All,

     

     

    Can any one tell me the procedure to replace the faulty SSG member on active/active cluster? I mean step:

     

    For example Now FW2 as master because the FW1 faulty and replacemnt part already arrived. Do i need load first the existing config on FW1 then after that plug in back all the interface?

     

    Do i need execute any commannd to make sure both firewall back to synronize?

     

    Thanks and appreciate your fast feedbac. quit urgent



  • 2.  RE: Procedure Replacing faulty SSG member on Active/Active cluster?

    Posted 05-27-2015 03:10

    Here are the replacement instructions.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB12005



  • 3.  RE: Procedure Replacing faulty SSG member on Active/Active cluster?

    Posted 05-27-2015 03:49

    Hi Spuluka,

     

     

    Is that url for active/active? I'm read but still not understand

     

    Thanks



  • 4.  RE: Procedure Replacing faulty SSG member on Active/Active cluster?

    Posted 05-27-2015 03:55

    The procedure is the same for either active/active or active/passive NSRP replacement.

     

    If you have a ticket open with JTAC they are able to be on-line with you during the process of inserting the new device into the NSRP pair.  Just give them a call and they will create the screen sharing session.



  • 5.  RE: Procedure Replacing faulty SSG member on Active/Active cluster?

    Posted 05-27-2015 04:17

    Hi Spuluka,

     

    I'm still not open JTAC because want to try solve by myself. Below is what happen.

     

    1.) Setup Active/Active

    2.) FW1 (VSD3) & FW2 (VSD4)

    3.) Power trip happen the FW1 totally corrupt. Then FW2 was stand alone

    4.) replacement has arrived -----------> which step that i need to start on that URL?

     

     

    Thanks and appreciate your feedback



  • 6.  RE: Procedure Replacing faulty SSG member on Active/Active cluster?
    Best Answer

    Posted 05-27-2015 15:50

    In that case you will be starting at step #2 as since the FW is dead you are confirmed that the firewall on now is the master already.

     

    Some steps include obvious physical things like labeling the cables to be sure you connect them into the new device correctly so they may already be done when you installed.

     

    There should be no service impact but I would still do this in a maintenance window just in case.



  • 7.  RE: Procedure Replacing faulty SSG member on Active/Active cluster?

    Posted 05-27-2015 16:55
      |   view attached

    Hi Spuluka,

     

     

    Another question. What is diffrence between using that URL KB with i just load replace the existing config on FW1(backup config) into replacement part after that plug in back all the pysical connection. I'm using this style but suddenly after both FW HA syncronize the network intermittent go to DMZ server.

     

    U can see my topology as per attachment.

     

     

    Thanks and appreciate your feedback whether my step is wrong.

     



  • 8.  RE: Procedure Replacing faulty SSG member on Active/Active cluster?

    Posted 05-28-2015 03:35

    The procedure brings the firewall up with all interfaces off and adds this to the cluster gracefully.  

     

    It insures that your current firewall remains the master and that this is the configuration that gets synced to the new firewall in all areas of potential conflict.

     

    This insures then that the failovers between the firewalls are controlled during the process.