Screen OS

I'm working on my first NSRP deployment w/ a pair SSG140s.  I was able to get the basic settings working and able to get failover working, but I noticed yesterday that when I was trying to upgrade the firmware I wasn't able to get to the passive 140 using it's manage-ip when i was on a different subnet.  The ip scheme is as followings

eth0/9                      10.100.100.1

fw_M manage-ip   10.100.100.2

fw_B manage-ip   10.100.100.3

L3_Switch              10.100.100.4 

There is a /29 for these devices, w/ the 140's have a route to my 192.168.200.0/24 network w/ a next hop of the L3_Switch.  I'm able to get to and manage the ip of fw_M, but not fw_B.  I found this article

 http://kb.juniper.net/InfoCenter/index?page=content&id=KB11374&smlogin=true

and followed scenario 1 since both subnets are in the Trust zone.  I issued the "set flow mac-cache mgt" on fw_B, but still wasn't able to access it.  I confirmed that the correct manage-ip is on B, also that I am able to ping it and access it if I put my laptop in the same subnet(which is what I ended up doing to get the firmware updated).  Did i need to issue the "set flow..." on the fw_M instead?  If not, am i missing something else?

I would recommend running a debug flow basic to see how the firewall is processing the packets.

Thanks.  I just got this working.  Did some looking and found 2 issues.  1, I was using vsd-group 5, not 0, so the option to use rto-mirror route wasn't available.  2, I didn't have the routes from FW_A on FW_B.  Did some reading and changed my static routes from 

set route 192.168.240.0/24 gateway 10.100.100.4 permanent
set route 192.168.220.0/24 gateway 10.100.100.4 permanent
set route 0.0.0.0/0  gateway ISP

to 

set route 192.168.240.0/24 interface ethernet0/9 gateway 10.100.100.4 permanent
set route 192.168.220.0/24 interface ethernet0/9 gateway 10.100.100.4 permanent
set route 0.0.0.0/0 interface ethernet0/0 gateway ISP

I fixed the routes on the primary, fixed the nsrp configuration and then did a sync on FW_B and after a reboot confirmed the appropriate routes were in place.  Added an additional route to FW_A to test and confirmed it synced to FW_B.

I would recommend not using permenant routes.

I agree with rseibert, as a general rule you should not use permanent routes.  This flag means that the route will remain in the routing table even when the egress interface is down or the next hop address is not reachable.  Meaning the traffic has no place to go and is black holed.

Very rarely is this the desired behavior.  Rather this is used when it is important that the traffic never take an alternate path and should be dumped rather than forwarded to alternative routing paths.

Thanks.  What would be the preferred way to do this?  10.100.100.4 is a L3 switch that is acting as the gateway for all the internal networks.  

set route 192.168.240.0/24 interface ethernet0/9 gateway 10.100.100.4

Thanks.  I'll update.