Managing the secondary device in an Active/Passive pair operating in Transparent mode.

Environment:

• Active/Passive NSRP configuration
• Firewalls in Transparent mode
• Manage the Passive device in NSRP
• Manage the backup device in Transparent mode

Symptoms & Errors:

• Cannot manage the passive device
• No problem with managing the primary firewall

When operating in Transparent mode, the backup in an Active/Passive pair can only be managed from one Layer 2 zone at a time.  By default, this zone is V1-Trust.

If management is needed from V1-Untrust, V1-DMZ, or a custom layer 2 zone, use the command:

set interface vlan1 nsrp manage zone <zone name>

Note: This command must be enabled on both devices in the NSRP cluster.

The current management zone can be checked with the 'get interface vlan1' command:

204(B)-> get interface vlan1
Interface vlan1:
  number 15, if_info 6000, if_index 0, VLAN tag 1, mode nat
  link inactive, phy-link up/full-duplex
  vsys Root, zone MGT, vr trust-vr
  ip 192.168.1.1/24   mac 0010.dbff.20f0
  manage ip 192.168.1.2, mac 0010.db27.68cf
  ping enabled, telnet enabled, SCS enabled, SNMP enabled
  web disabled, SSL enabled
  webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled BGP disabled
  DHCP-elay disabled
  bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps
  unknown mac address resolve method: FLOOD
  vlan trunk: Off
  bypass others IPSEC: Off
  In backup mode, only traffic from V1-TRUST can manage the box

Note: Ensure tthe manage-ip addresses are different for both the primary and backup firewalls.  For more information on configuring a manage IP address, refer to KB4059 - [ScreenOS] Configuring a Manage IP Address on Juniper firewall.

For more info on interface VLAN1, see KB4862 - What is the function of the vlan1 interface.

 

2021-01-04: Minor non-technical changes were made. Article reviewed for accuracy. Article is correct and complete.