Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  config sync problem with NSRP active/passive cluster configuration

    Posted 07-24-2012 02:34

    Hello Y'all, I am quite new to Juniper and just learning the ropes.

     

    I am hoping someone can help out. I am trying to configure NSRP on 2 SSG5's in an active/passive cluster.

     

    The set up is such that each SSG5 is connected to a different ISP for failover in the event of downtime experienced on the primary link.

     

    I have installed the extended licenses on the two firewalls and both are active.

     

    The problem I am having is that to get the config in sync, I do "exec nsrp sync global-config save" to get a config synchronization, I notice that all the config of the first SSG is copied on the second firewall or vice versa even though this command is only issued on the second SSG.

     

    This includes IP addresses, DNS configuration, even MIP etc.  gets copied such that both have the same configuration. I have read on one of the threads that its is not possible to configure active/passive cluster using two different ISP's because VSI's are created for both the trust and untrust interfaces.

     

    Could this be a reason why I am getting this? Any pointers in the right direction would be most appreciated.

     

    I would also like to know if the way I have set up the firewalls is in line with best practices or not.

    I have set int eth0/0 as the untrust interface I have set int eth0/2 as the trust interface but I have been advised to leave this as part of bgroup0 and assigned the ip address meant for the interfaces to bgroup0 I have set int eth0/6 as the ha link on both firewalls.

     

    I have added the nsrp config for both firewalls below.

     

    Firewall 1.

    set nsrp cluster id 1

    set nsrp rto-mirror sync

    set nsrp vsd-group id 0 priority 50

    set nsrp vsd-group id 0 preempt

    set nsrp interface bgroup0

    set nsrp monitor interface bgroup0

    set nsrp monitor interface ethernet0/0

    set nsrp ha-link probe

     

    Firewall2

    set nsrp cluster id 1

    set nsrp rto-mirror sync

    set nsrp vsd-group id 0 priority 100

    set nsrp interface bgroup0

    set nsrp monitor interface ethernet0/0

    set nsrp monitor interface bgroup0

    set nsrp ha-link probe.

     

    Thanks


    #Active-PassiveCluster
    #NSRP


  • 2.  RE: config sync problem with NSRP active/passive cluster configuration
    Best Answer

    Posted 07-24-2012 04:10

    Hi,

     

    If you create a NSRP cluster and VSD 0 all pairs of the physical interfaces are automatically added to the VSI interfaces. The only exception are interfaces in MGT zone. If you use VSD n, where n is a number not equal to zero and less than the maximum  VSD number (envar nsrp-max-vsd) all VSI interfaces should be configured manually. This means that several interface pairs may be excluded from the VSIs. But this configuration might be complex for you and it contains certain drawbacks.

    I prefer another way to solve the problem with the NSRP cluster and two ISPs. Here an example:

    eth0/0, and eth0/1 are assigned to Untrust zone.

    Master FW: eth0/0 connected to ISP1, eth0/1 is uncabled.

    Backup FW: eth0/0 is uncabled,  eth0/0 connected to ISP2

    One default route points to ISP1 through eth0/0, another default route with a higher metric - to ISP2 through eth0/1

    Configure IP tracking on Master only, on VSI eth0/0 (under NSRP settings). Use eg. a pingable IP at ISP1. If IP tracking fails a failover should be initiated. The backup FW will use the secondary default route at ISP2 because the primary one is inactive.

     

    You can also cable all four ports to a switch and enable the communication Master -> ISP2, Backup -> ISP1. This configuration is complexer. IP tracking should be configured on both eth0/0 under interface settings (per device) and failover conditions should also be complexer. Further, both eth0/0 interfaces should be assigned the unique management IPs to, for this to work.



  • 3.  RE: config sync problem with NSRP active/passive cluster configuration

    Posted 07-26-2012 08:49

    Hey Edouard,

    Many Thanks for your simplified solution. It worked like magic. Failover works like before but this time around with the 2 isp's.

    I reposted the config below for others who might have the same issue I had.

     

    MASTER
    set nsrp cluster id 1
    set nsrp rto-mirror sync
    set nsrp vsd-group id 0 priority 50
    set nsrp vsd-group id 0 preempt
    set nsrp interface bgroup0
    set nsrp monitor interface bgroup0
    set nsrp monitor interface ethernet0/0
    set nsrp monitor interface ethernet0/2 weight 100
    set nsrp monitor track-ip ip
    set nsrp monitor track-ip ip 10.1.1.2 interval 3
    set nsrp ha-link probe

     

    BACKUP

    set nsrp cluster id 1
    set nsrp rto-mirror sync
    set nsrp vsd-group id 0 priority 100
    set nsrp interface bgroup0
    set nsrp monitor interface ethernet0/0 weight 100
    set nsrp monitor interface bgroup0
    set nsrp monitor interface ethernet0/2
    set nsrp ha-link probe