Knowledge Search


[ScreenOS] How do I troubleshoot an Active/Passive NSRP cluster with configurations out of sync?

  [KB9817] Show Article Properties

It is possible that the configuration settings can become unsynchronized; this can happen if you make any configuration changes on one device while another in the cluster reboots or if all HA links fail.  This article documents how to get the cluster back in sync.  This article is also referenced from the NSRP Resolution Guide.
How do I troubleshoot an Active/Passive NSRP cluster with configurations out of sync?
Use the steps below to correct configs out of sync.  To view the flowchart for these steps, select:  KB9817 Flowchart

note: In the article, Firewall-A refers to the device that is initially configured as the Master device. Firewall-B is the device that is initially configured to be the Backup device.

Step1   Did you enter the minimum NSRP configuration options? Refer to: KB6015- What is the basic configuration I need to get an NSRP cluster working.

  • Yes - Continue with Step 2
  • No  - Finish configuring the minimum NSRP parameters.

Step2   Attempt to sync the configurations manually.  

NOTE:  Make sure you perform the command on the correct firewall, and make sure you correctly respond with No to the 'save config' prompt.  

For assistance, consult: KB6351 - How do you sync an Active / Passive NSRP pair.

Continue with Step 3

Step13  Are the configurations now in Sync? For information on how to check, consult: KB6359 - How do I check if the Active/Passive NSRP pair configurations are in sync?

Step4  Are all the Hardware and Software requirements met? For information on the minimum requirements, consult: KB11432 - What are the minimum hardware and software requirements for NSRP.

  • Yes - Continue with Step 5
  • No  - Resolve any deficiencies with the requirements.

Step5  Compare the configuration files between Firewall-A and Firewall-B.  Do they match? For assistance, consult: KB11325 - When comparing the NSRP cluster configuration, what should I check.

Step6  Check list of 'out of sync' possible reasons in KB11326.  

If still out of sync after consulting the list, Continue with Step 7.

Step7  For additional assistance, collect the information listed in KB11175- What information do I need to collect before opening an NSRP case. Once the data has been collected, open a case by either calling in to Juniper Networks Technical Assistance Center at 888-314-JTAC (5822) , 408-745-9500 for domestic or international, OR login to the Case Management tool via the Juniper support site at: Case Management and click on the "Create a Case" link.

Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.
Related Links: