I'm working on my first NSRP deployment w/ a pair SSG140s. I was able to get the basic settings working and able to get failover working, but I noticed yesterday that when I was trying to upgrade the firmware I wasn't able to get to the passive 140 using it's manage-ip when i was on a different subnet. The ip scheme is as followings
eth0/9 10.100.100.1
fw_M manage-ip 10.100.100.2
fw_B manage-ip 10.100.100.3
L3_Switch 10.100.100.4
There is a /29 for these devices, w/ the 140's have a route to my 192.168.200.0/24 network w/ a next hop of the L3_Switch. I'm able to get to and manage the ip of fw_M, but not fw_B. I found this article
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11374&smlogin=true
and followed scenario 1 since both subnets are in the Trust zone. I issued the "set flow mac-cache mgt" on fw_B, but still wasn't able to access it. I confirmed that the correct manage-ip is on B, also that I am able to ping it and access it if I put my laptop in the same subnet(which is what I ended up doing to get the firmware updated). Did i need to issue the "set flow..." on the fw_M instead? If not, am i missing something else?