Screen OS

Hi,

We are running an NSRP Active/Active cluster.  The attached diagram describes the NSRP Active/Active deployment.  The firewall pair consists of two SSG550 which are running on ScreenOS 6.1.0r6.0.  Since we have large VPN traffic between sites, the main design goal of the NSRP Active/Active implementation is direct regular traffic through VSD 0 and VPN traffic through VSD 1.  If one firewall fails, another one will pick up both VSD 0 and VSD 1 to support the regular and VPN traffic.  Data forwarding between the two VSDs are not allowed (unset nsrp data-forwarding).  VSD 0 is using RIPv2 to learn routes to reach subnets in Net ME and learn a default route to reach the external world (Internet and subnets at other sites).  However VSD 1 is solely relying on the static routes to direct traffic into tunnel interfaces (as well as to reach VPN peers) and route traffic out of VPN tunnel to a few specific subnets in Net ME.  The static routes configured on VSD 1 are synchronized to VSD 0, but the routes learned by RIPv2 from VSD 0 are not synchronized.  FW-1 is the master for VSD 0, and FW-2 is the master for VSD 1.

Now let me start my questions.

a.  I am using source interface eth0/0 in NTP configuration which is sychronized on both firewalls.  By doing so, FW-1, on which eth0/0 is UP, is running NTP well.  However FW-2 seems not update time by NTP.  Is this behavior normal?  Is it caused by the inactive state of eth0/0 on FW-2?  How could I correct it?

b. How can I manage FW-2?  In order to reach the manage-ip of eth0/0 on FW-2, I have to configure a static route whose destination is my mgmt subnet and outgoing interface is eth0/0 (instead of eth0/0:1) on FW-2.  Is it a proper setup?

c. What is the difference of the interface states between Inactive and Down?  As I mentioned, the static routes configured on FW-2 are synchronized to FW-1.  On FW-1, although the outgoing interface associated with these static routes were Inactive, the static routes still beat the routes learned from RIPv2 because static routes have better preference by default.  In order to make FW-1 use the RIP learned routes, I had to modify the preference value of these static routes to 105 which is higher than the value that assigned to RIP.  However one thing confuses me.  Why would ScreenOS consider a route whose outgoing interface is under state Inactive?

Thanks!

Andrew Xu

Hi

I'm not sure it's recommended to use VSD0 in a dual VSD scenario, as this one has specific configuration (for example it uses the physical IP of master as IP of cluster);

1) if eth0/0 is part of VSD0, the second firewall cannot use this interface as source, because it will have the same IP than the primary hen one, so it cannot be up when mpaster is active.

try to use vsd2 instead of vsd0. (delete vsd0 and create a new one).

2) you must configure management IPs on each firewall (can be done via console), to make sure you can reach the device you want to connect to.

3) make sure you declare the routes with outgoing interface on the cluster.

otherwise : route aren't synchronized, and remain active even when outgoing interface is down.

4) why do you usr RIP ? convergenece is slow, so in case of a failover your sessions can be dropped or timed out.

hope this helps.

Hi,

According to my understanding, these two firewall's are not running in NSRP cluster. According to book, if using NSRP; both should have same VSD group.

Both device should have been synchronized, RIP should have been running on both and there should have been single virtual ip address on both firewall's.

1) There is a problem with NTP using NSRP cluster, when you configure both devices properly I guess that should get resolved.

2) Manage firewall using actual address of the device, not the virtual address.

3) Inactive mean no clustering, if one of your device goes down your VPN will get down too. Down mean both are not communicating properly in your case.

I guess this would help your queries, feel free to contact me any time

jawwad14@gmail.com

Regards,

Muhammad Jawwad Paracha

IBM

Hi PKC,

You pointed me to a correct direction.  I just called JTAC.  Before digging any futher, I should unset VSD-Group 0 and create a new VSD-group for my use. 

Thanks!

Andrew

Thank you guys for your replies.  The picture is getting clearer to me.  Although I am still in the learning curve, I would like to clarify a few things as much as I can. 

I tried to use NSRP not only as a HA tool but a Virtualization tool.  I tried to achieve the following things from NSRP.

a. Move virtual devices between physical devices.  VSD-Group is right there for this purpose.  In my original post, I mentioned VSD 0 and VSD 1, but I actually meant VSD-Group 0 and VSD-Group 1.

b. Provision services independently on each virtual device.  In my case, one virtual device VSD-Group 0 runs dynamic routing protocol for regular traffic.  Another one VSD-Group 1 supports VPN tunnels only and uses static routing to direct traffic in and out of the tunnels.  No data forwarding is allowed between the two virtual devices.

c. Each virtual device runs their services independently.  It is where my questions came from.

My intension is to use the manage-ip to manage and administrator the physical and virtual devices.  ScreenOS only allows to configure a manage-ip on a VSI on VSD-Group 0.  In my case, the manage-ip is configured on interface Eth0/0. Since Eth0/0 is active on VSD-Group 0, it is fine to run SSH/HTTPS admin session to the manage-ip and get NTP update sourced from the manage-ip (Hmm... is it manage-ip used by the source interface??).  However Eth0/0 is Inactive on VSD-Group 1.  It appears to me it is not straightforward to use manage-ip on VSD-Group 1.  So I would polish my questions as the following.

a. Can I use Eth0/0 as the source interface for NTP or Syslog services on VSD-Group 1?  If yes, will the manage-ip associated with Eth0/0 be used?  Or should I pick None as the source interface under NTP configuration?

b. Since it does not run any dynamic routing protocol and has no default route configured, static routes are required on VSD-Group 1 to reach any subnets that is not local to it.  In order to remotely acces the manage-ip on VSD-Group 1, should I configure a special static route on VSD-Group 1 for the return traffic in the admin session?  The static route specifies the destination is the subnet my management console connects to and the outgoing interface is Eth0/0 which is inactive on VSD-Group 1.

BTW, the reason we are using RIPv2 is not a pure technical issue.  I would not bore you guys on this. 😉

Thanks!

Andrew