Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How do I check if the Active/Passive NSRP pair configurations are in sync?



Article ID: KB6359 KB Last Updated: 20 Mar 2020Version: 10.0

This article explains commands to check if the NSRP paid configurations are in sync.

Symptoms & Errors:
  • How do I check if the Active/Passive NSRP configurations are in sync?
  • When I run the 'NSRP checksum' command, no output is returned.
On either the Primary or Backup device, enter the following command to determine if the configurations for a NSRP pair are in sync:

exec nsrp sync global-config check-sum [Enter]

The output is reported on the CONSOLE of the firewall.  If no output is returned when you run the command, see the Note below.
If the configurations are out of sync, refer to KB6351: How do I synchronize configs for NSRP v2? .

NOTE:  If you are not connected to the firewall via the console, i.e. if you are connected via Telnet or SSH, then the output of the command can be viewed in 'get db str' or  'get log sys':
Output via TELNET

ns5200(B)-> exec nsrp sync global-config check-sum
ns5200(B)-> get db str
Warning: configuration out of sync

Output via CONSOLE

ns5200(B)-> exec nsrp sync global-config check-sum
ns5200(B)-> Warning: configuration out of sync
nsisg2000(M)-> get log sys
## 2008-03-10 22:47:17 : VSD group (0) change state to Passive
## 2008-03-12 16:00:17 : VSD group (0) change state to Active
## 2008-03-14 15:44:24 : configuration out of sync (local checksum 423391316 !=
remote checksum 108606823)

The most recent events are at the bottom of the 'get log sys' output.    Confirm the 'Configuration out of sync' or 'Configuration in sync' output with the date that you ran the command.
NOTE:  Somethimes even though the configs are in sync, the sessions and other RTOs (Run Time Objects) may not be in sync.  The command ‘set nsrp rto-mirror sync’ should be configured on each of your firewalls to synchronize  RTOs (i.e. session table entries, ARP cache entries, DHCP leases, and IPSec security associations etc ).  In the event of a failover, it is critical that the current RTOs be maintained by the new primary device to avoid service interruption. The command  get nsrp | inc “run time object”  will report ‘enabled’ if this command is set.
Modification History:
2020-03-20: Minor, non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search