Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] TCP syslog NSRP fail over is not instantaneous in some circumstances

0

0

Article ID: KB9438 KB Last Updated: 26 Dec 2019Version: 4.0
Summary:
When using TCP for Syslog, and an NSRP fail over event occurs, fail over may not be instantaneous.
Symptoms:
In a NetScreen Security Redundancy Protocol (NSRP) active/passive cluster, TCP Syslog could take up to 2 minutes to failover.  During this time, messages are lost.

When a Juniper firewall fails over from the active device to the passive device and the Syslog source interface is the management (MGT) interface, then the Syslog failover is immediate.

However, if the source interface is an NSRP Virtual Security Interface (VSI) interface, then it can take up to 2 minutes for the Syslog to failover.

When the MGT interface is used, a socket is opened on the both the active and the passive firewalls. During failover, when the passive device becomes the master device, this socket is still open, so the connection between the former passive unit and the Syslog server is up.

When a VSI is used as the egress interface to connect with Syslog server, a socket is not created on the passive unit. The VSI interface is shared on the two devices; on the passive firewall, it is inactive and so it is unable to form a connection to the Syslog server. During NSRP failover, when the passive firewall becomes the master, the Syslog task in ScreenOS monitors the socket and finds that the socket is not ready. It will then create a new socket for Syslog messages. The cycle of the Syslog monitor is 60 seconds.

Based on that, it could take almost 2 minutes to build the new Syslog session.
Solution:

The solution is to use a 'physical' rather than a logical interface for NSRP, such as the MGT interface. Syslog should fail over instantaneously at this point.

Note: This problem only occurs with Syslog using TCP.

Modification History:
2019-12-26: Archived article.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search