ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Raj909
Posts: 45
Registered: ‎10-20-2008
0

SSG520 Verify HA NSRP Sync

We have 2 SSG520 devices (SSG1 and SSG2) running 5.4r7.0 and they were in HA (Active/Passive).  We moved to a new datacenter and took the Passive device (SSG2) to the new datacenter, reconfigured it as a Master and migrated all VPN tunnels to this device.  We brought the old master (SSG1) to the new datacenter, reconfigured it as a Backup and need to confirm they are back in sync.

 

I called Juniper and they said they are in sync, but I am seeing differences in the routes.  Please assist.  Once in sync, the backup (SSG1) needs to be imported into NSM and added to the current Cluster.


Thanks

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: SSG520 Verify HA NSRP Sync

what do you mean differences in the route? It can happen if the interfaces or things have changed since last.  Can you show what is different between the 2 fw in terms of route.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Raj909
Posts: 45
Registered: ‎10-20-2008
0

Re: SSG520 Verify HA NSRP Sync

What I mean in terms of routes is, there are eB (BGP) routes on the Master that are on not on the Backup.
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 790
Registered: ‎07-26-2008
0

Re: SSG520 Verify HA NSRP Sync

if they are eBGP routes then its correct. We only support dynamic route syn from 6.0r2 onwards and you are running 5.4 right now, so it means that the dynamic routes will not be synced over to the backup.

 

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Contributor
Raj909
Posts: 45
Registered: ‎10-20-2008
0

Re: SSG520 Verify HA NSRP Sync

That answers it.  Thanks for your help!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.