Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [ScreenOS] PKI configuration not synced in NSRP

0

0

Article ID: KB3293 KB Last Updated: 07 Apr 2021Version: 6.0
Summary:

In an NSRP cluster, synchronization of PKI components does not happen in the following scenarios:

  • When a new device is added to the cluster

  • When NSRP connectivity is lost. Any PKI changes that are made in either device during this period of disconnection do not get synchronized even after NSRP connectivity is re-established.

This article explains the reason and how the synchronization can be achieved.


Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
Symptoms:

Lab Sample

  1. FW-1 and FW-2 are in a cluster. Currently the PKI objects are in sync:

    FW-1(M)-> get pki x509 list cert     
    
    Getting OTHER PKI OBJECT ...
    IDX  ID num     X509 Certificate Subject Distinguish Name
    ================================================================================
    0000 151519236  CA CERT friendly name <4>
                    OU=Class 3 Public Primary Certification Authority,O=VeriSign
                    , Inc.,C=US,
                    Expire on 08-01-2028 23:59(UTC time), Issued By:
                    OU=Class 3 Public Primary Certification Authority,O=VeriSign
                    , Inc.,C=US,
    0001 24379395   LOCAL CERT friendly name <3>
                    CN=self-signed,CN=Test,CN=Lab.jtaclab.net,CN=dsa-key,CN=XX,
                    OU=Lab,
                    Expire on 08-17-2023 14:59(UTC time), Issued By:
                    CN=self-signed,CN=Test,CN=Lab.jtaclab.net,CN=dsa-key,CN=XX,
                    OU=Lab,
    0002 151519238  CA CERT friendly name <6>
                    CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at http
                    s://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=V
                    eriSign, Inc.,C=US,
                    Expire on 01-18-2015 23:59(UTC time), Issued By:
                    OU=Class 3 Public Primary Certification Authority,O=VeriSign
                    , Inc.,C=US,
    ================================================================================
    
    FW-2(B)-> get pki x509 list cert     
    
    Getting OTHER PKI OBJECT ...
    IDX  ID num     X509 Certificate Subject Distinguish Name
    ================================================================================
    0000 151519236  CA CERT friendly name <4>
                    OU=Class 3 Public Primary Certification Authority,O=VeriSign
                    , Inc.,C=US,
                    Expire on 08-01-2028 23:59(UTC time), Issued By:
                    OU=Class 3 Public Primary Certification Authority,O=VeriSign
                    , Inc.,C=US,
    0001 24379395   LOCAL CERT friendly name <3>
                    CN=self-signed,CN=Test,CN=Lab.jtaclab.net,CN=dsa-key,CN=XX,
                    OU=Lab,
                    Expire on 08-17-2023 14:59(UTC time), Issued By:
                    CN=self-signed,CN=Test,CN=Lab.jtaclab.net,CN=dsa-key,CN=XX,
                    OU=Lab,
    0002 151519238  CA CERT friendly name <6>
                    CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at http
                    s://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=V
                    eriSign, Inc.,C=US,
                    Expire on 01-18-2015 23:59(UTC time), Issued By:
                    OU=Class 3 Public Primary Certification Authority,O=VeriSign
                    , Inc.,C=US,
    ================================================================================
    
  2. NSRP is lost due to link failure and both devices are primary now:

    FW-2(B)-> ethernet0/3 interface change physical state to Down
    FW-2(B)-> save
    Save System Configuration  ... 
    Done
    Unit becomes master of NSRP vsd-group 0
    FW-2(M)-> 
  3. A new certificate is created on FW-1:

    FW-1(M)-> get pki x509 list local-cert 
    
    Getting LOCAL CERT ...
    IDX  ID num     X509 Certificate Subject Distinguish Name
    ================================================================================
    0000 131399685  LOCAL CERT friendly name <5>
                    CN=self-signed,CN=Test123,CN=Lab123.jtaclab.net,CN=dsa-key,C
                    N=XX,OU=Lab,
                    Expire on 08-17-2023 09:02(UTC time), Issued By:
                    CN=self-signed,CN=Test123,CN=Lab123.jtaclab.net,CN=dsa-key,C
                    N=XX,OU=Lab,
    0001 24379395   LOCAL CERT friendly name <3>
                    CN=self-signed,CN=Test,CN=Lab.jtaclab.net,CN=dsa-key,CN=XX,
                    OU=Lab,
                    Expire on 08-17-2023 14:59(UTC time), Issued By:
                    CN=self-signed,CN=Test,CN=Lab.jtaclab.net,CN=dsa-key,CN=XX,
                    OU=Lab,
    ================================================================================
    
  4. Note that the certificate does not get synchronized to FW-2, even after NSRP is re-established:

    FW-2(B)-> get pki x509 list local-cert 
    
    Getting LOCAL CERT ...
    IDX  ID num     X509 Certificate Subject Distinguish Name
    ================================================================================
    0000 24379395   LOCAL CERT friendly name <3>
                    CN=self-signed,CN=Test,CN=Lab.jtaclab.net,CN=dsa-key,CN=XX,
                    OU=Lab,
                    Expire on 08-17-2023 14:59(UTC time), Issued By:
                    CN=self-signed,CN=Test,CN=Lab.jtaclab.net,CN=dsa-key,CN=XX,
                    OU=Lab,
    ================================================================================
Cause:

This behavior is by design.

Solution:

This limitation can be overcome by using one of the following two options:

  1. Reboot the node that needs to copy the PKI objects from the other node. Typically, this would be the backup device or the new hardware that is being added to the cluster following an RMA.

  2. Execute the exec nsrp sync pki command on the backup or new device.

 

In this article, the exec nsrp sync pki command is executed on the device to enable the synchronization:

FW-2(B)-> exec nsrp sync pki
FW-2(B)-> get pki x509 list local-cert 

Getting LOCAL CERT ...
IDX  ID num     X509 Certificate Subject Distinguish Name
================================================================================
0000 131399685  LOCAL CERT friendly name <5>
                CN=self-signed,CN=Test123,CN=Lab123.jtaclab.net,CN=dsa-key,C
                N=XX,OU=Lab,
                Expire on 08-17-2023 09:02(UTC time), Issued By:
                CN=self-signed,CN=Test123,CN=Lab123.jtaclab.net,CN=dsa-key,C
                N=XX,OU=Lab,
0001 24379395   LOCAL CERT friendly name <3>
                CN=self-signed,CN=Test,CN=Lab.jtaclab.net,CN=dsa-key,CN=XX,
                OU=Lab,
                Expire on 08-17-2023 14:59(UTC time), Issued By:
                CN=self-signed,CN=Test,CN=Lab.jtaclab.net,CN=dsa-key,CN=XX,
                OU=Lab,
===============================================================================
 

After executing exec nsrp sync pki, the certificates are copied to FW-2.

 

Modification History:

2021-04-07: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives
2018-09-10: Added lab output, reworded the article, and added conditions in which PKI objects do not get synchronized in NSRP. Re-organized content for clarity

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search