Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to compare NSRP cluster configurations to check the differences between them

0

0

Article ID: KB11325 KB Last Updated: 05 Jan 2021Version: 8.0
Summary:

This article explains how to compare configurations between the two firewalls in an NSRP cluster to identify any differences between them.

 

Symptoms:

If after performing the procedure mentioned in KB9817- How do I troubleshoot an Active/Passive NSRP cluster with configurations out of sync, the firewalls are still not in sync, users will want to compare the configurations. How can users find the differences between them?

 

Solution:

Typically, to sync a pair of firewalls, you will execute the following command on the firewall that has the configuration you want to update:

exec nsrp sync global-config save

Afterward, to verify the configurations are in sync, you will execute the command:

exec nsrp sync global-config check-sum

Sometimes, however, the firewalls will still not be in sync. You will then need to compare the configuration files.  

The best way to compare configurations is to download the configuration from each firewall, and then use a text editor to compare the two text configuration files. This will allow you to manually identify the differences between them. There are several text editors that have the file comparison feature. Some text editors are freeware (an easy to use freeware product is Notepad++, which has a nice compare function). Some text editors can be purchased and require a license (such as CSDiff, WinDiff, Ultraedit, Examdiff, and so on). Regardless of the method used to identify the differences, you will then need to update the configuration on one of the firewalls so that it matches the peer. This will require you to update the configuration on whichever device has lines that are missing or are different from those on the peer device.

You will need to obtain the configuration files and then use a text editor to compare the two files. There are two options for obtaining the configuration files:

Option 1:

  • Download the configurations from both the primary and backup firewall to a PC or workstation. The configuration output will be a text file; you can use either the WebUI or CLI commands.

    1. WebUI

Configuration > Update > Config File and select Save to File.

  1. CLI

save config to tftp <tftp_server> <config_filename>
  • Alternatively, you can compare the global config, since that is what NSRP compares for the out-of-sync checksum.

    1. To copy only the global configuration to TFTP, use the following command:

get config global > tftp <tftp_server> <config_global_filename>

Option 2:

  • Execute the command get tech from the CLI on each firewall in the cluster. Edit the resulting files to only have the configuration information.

 

Modification History:

2021-01-05: ​Article reviewed for accuracy, article is correct and accurate

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search