Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Issues with runtime synchronization of configuration in NetScreen Redundancy Protocol (NSRP)

0

0

Article ID: KB30830 KB Last Updated: 29 Sep 2020Version: 2.0
Summary:

When configuration changes are made on one device, the changes do not reflect in the configuration on another device of the active/passive cluster. However, a manual sync using the command ‘exec nsrp sync global-config save’, followed by a reboot, helps to bring the configuration in sync across the two devices.

Symptoms:
The goal is to achieve runtime synchronization of a configuration in the NSRP active/passive cluster when a change in the configuration is done on any of the firewalls. This may involve a change in polices, routes, address objects or admin users on the device. This article explains the reason why this does not work in some instances and the best way to address them.
Solution:

In an active/passive cluster, when configuration changes are made on one device, the debug NSRP sync captured on both devices reveal that the configuration command was sent out from the primary, and seen as received items on the backup. However, the backup device failed to install the received config in its configuration. This is because the configuration change was performed by a user who has ‘Read/Write’ privileges externally, but has ‘Read Only’ privilege locally.

Example:

The user, admin_user1 is configured on the local database as follows:

set admin user "admin_user1" password "nKgSHirGLPbDcPPDKsOM/oIthVH9/n" privilege "read-only"

The external authentication server is configured to assign privileges to the remotely authenticated users:
 
set admin auth remote primary
set admin auth remote root
set admin privilege get-external

 
If you are logged into both the primary and backup as externally authenticated Read/Write user, you can individually configure items on the two devices.
 
2015-11-19 14:07:27 system warn 00519 Admin user admin_user1 has been accepted via the TACACS server at <IP address>.
 
See the current user's privilege with the following command:

NS-ISG2000(M)-> get admin user login
No. Name        Vsys       Date       Time     Source  IP Addr         Auth Type  Role      Time Remain
--- ----------  ---------- ---------- -------- ------- --------------- --------- ---------- ----------
1   admin_user1 Read/Write 2015-11-19 14:07:27 ssh     10.132.48.100   TACACS - N/A


However, when the change from one device was propagated to the backup, it was failing due to this inconsistency in the privileges of the same user locally and on the external server.

When the NSRP module does the configuration sync, the primary sends the command to the backup, together with the version, user name and vsys name.

Example debug:
 
## 2015-11-19 14:23:53 : receive the task id and record it to org_sync_request_tid 93
cmd ver: 7 flag: 0
vsys_name: Root
user_name: admin_user1
cmd: set address trust name 1.2.3.6/32

 
When the backup device tries to execute the command from configuration sync, it queries the authorization module with the user name. The ScreenOS code does not take into consideration that there is an active user with remote privileges. Its decision is based on the following:
  • If the user is present locally, it assigns the privilege as the local one.
  • If there is no user on its local database, it sets the privilege to the value sent by the primary.
In this case, since the user was present locally with Read Only privilege, the command execution failed on the backup, thus resulting in the configuration to go out of sync. However, it is recommended to have usernames that are different for local users and remote users. If there’s a need to keep them the same, they should have the same privileges on both databases.
Modification History:
2020-09-29 : Article reviewed for accuracy. No changes required. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search