Posted by: manilageek | September 9, 2011

Netscreen Firewall Synchronization issue

To check issue command below:


#exec nsrp sync global-config check-sum
#get db str
               Warning: configuration out of sync
#get log sys reversely

Reasons for NSRP configuration to be out-of-sync:
1. Device configurations are not identical
         a. Making changes on the primary firewall and save while the backup is in reboot process
         b. NTP monitoring is configured on only one firewall
         c. Firewall has double quote “” on object definition
2. Root password is not identical
3. Each device in the cluster is using a different ScreenOS version
4. Interface configuration is not identical
         a. “Get interface” and “get system”
         b. To resolve “Add or remove extra cards”
5. ISG has IDP
To make the backup as the Master:
1. Adjust the NSRP priority
         a. set nsrp vsd-group id 0 priority 5 (master)
         b. set nsrp vsd-group id 0 priority 10 (backup)
2. Configure the preempt on the device to become master
         a. set nsrp vsd-group id 0 preempt
         b. set nsrp vsd-group id 0 preempt hold-down 10

How to Resolved sync issue:
(Short)
1. #exec nsrp sync global-config save
             “Configuration modified, save?[y]/n”
             Press “N”
              “System reset, are you sure? y/[n]”
             Press “Y”
             The system will reboot

(Long):
#unset all
             “Erase all system config, are you sure y / [n]?”
             Press the Y key.
             (The system configuration is returned to the factory default settings.)
#reset
             “Configuration modified, save? [y] / n”
             Press the N key.
             “System reset, are you sure? y / [n] n”
             Press the Y key.
The system reboots.
#set hostname NETFW01
Add HA link config:
#set interface “eth3/7” zone “HA”
#set interface “eth3/8” zone “HA”
#set nsrp cluster id 1
#set nsrp cluster name NetscreenFirewall
#set nsrp rto-mirror sync
#set nsrp vsd-group id 0
#set nsrp vsd-group id 0 priority 10

 
Note: if the interface doesnt goes up you need to manually set the interface duplex and speed by running the ff. command.
#set interface eth1/1 phy manual
#set interface eth2/2 phy manual
#exec nsrp sync global-config save (pause for a while)
#reset
             “Configuration modified, save? [y] / n”
             Press the N key.
             The following prompt appears: “System reset, are you sure? y / [n] n”
             Press the Y key.
             The system reboots.
Then, login to the Device on the root vsys:
#set interface ethernet2/2.1 manage-ip 10.237.64.13
#set interface ethernet2/2.1 manage ssh
#set interface ethernet2/2.1 manage snmp
#set interface ethernet2/2.1 manage ssl
#set interface ethernet2/2.1 manage ping
#exec nsrp sync global-config check-sum
#save
#exit

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Categories

%d bloggers like this: