ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

SSG520 Verify HA NSRP Sync

06.18.09   |  
‎06-18-2009 01:15 PM

We have 2 SSG520 devices (SSG1 and SSG2) running 5.4r7.0 and they were in HA (Active/Passive).  We moved to a new datacenter and took the Passive device (SSG2) to the new datacenter, reconfigured it as a Master and migrated all VPN tunnels to this device.  We brought the old master (SSG1) to the new datacenter, reconfigured it as a Backup and need to confirm they are back in sync.

 

I called Juniper and they said they are in sync, but I am seeing differences in the routes.  Please assist.  Once in sync, the backup (SSG1) needs to be imported into NSM and added to the current Cluster.


Thanks

4 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: SSG520 Verify HA NSRP Sync

06.18.09   |  
‎06-18-2009 04:31 PM
what do you mean differences in the route? It can happen if the interfaces or things have changed since last.  Can you show what is different between the 2 fw in terms of route.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
ScreenOS Firewalls (NOT SRX)

Re: SSG520 Verify HA NSRP Sync

06.19.09   |  
‎06-19-2009 06:18 AM
What I mean in terms of routes is, there are eB (BGP) routes on the Master that are on not on the Backup.
ScreenOS Firewalls (NOT SRX)

Re: SSG520 Verify HA NSRP Sync

06.19.09   |  
‎06-19-2009 08:57 AM

if they are eBGP routes then its correct. We only support dynamic route syn from 6.0r2 onwards and you are running 5.4 right now, so it means that the dynamic routes will not be synced over to the backup.

 

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
ScreenOS Firewalls (NOT SRX)

Re: SSG520 Verify HA NSRP Sync

06.19.09   |  
‎06-19-2009 09:07 AM

That answers it.  Thanks for your help!