Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Reasons for NSRP Configuration to be out of sync

0

0

Article ID: KB6425 KB Last Updated: 31 Jul 2018Version: 7.0
Summary:

This article describes the issue of being unable to sync an NSRP pair.

Symptoms:

Environment:

  • Device configs look identical
  • Have executed 'exec nsrp sync global-config save'

Symptoms & Errors:

  • See 'Warning: configuration out of sync" on console
Solution:

There are a number of possible causes for an NSRP cluster configuration to go out of sync.

  1. Each device in the cluster is using a different ScreenOS version.
    Devices in a cluster MUST be running the same version in order for synchronization to be successful. Identical configs will produce different checksums per version, so the checksums will never match if the ScreenOS does not.

  2. Interface configuration should be identical.  For example, if one NetScreen-500 has two ethernet cards, and the other NetScreen-500 has three ethernet cards, you could have some odd strange ARP entries.  Once you remove the extra card, the configurations from both devices will properly sync up, and the ARP entry behavior will return to normal.

  3. If using an ISG with IDP, make sure both either have IDP, or both have no IDP.  You can determine if you have a Security Module installed by issuing a 'get system'.  In the following example, you can see from a 'get system', the last lines revealing IDP hardware (e.g. IDP detector, engine, pcid, and scio).

    Example:
    nsISG2000(M)-> get system
    Product Name: NSISG2000
    Serial Number: 0079092005000020, Control Number: 00000000
    Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
    Software Version: 5.0.0r10d.4, Type: Firewall+VPN
    OS Loader Version: 1.1.5
    Feature: IDP1
    Base Mac: 0010.db8e.cbc0
    File Name: default (nsISG2000.5.0.0-IDP1.r10d.4), Checksum: ff9b0d70, Total Memory: 2048MB

    Date 01/29/2007 00:22:46, Daylight Saving Time enabled
    The Network Time Protocol is Disabled
    Up 289 hours 44 minutes 17 seconds Since 16 Jan 2007 22:38:29
    Total Device Resets: 0

    System in NAT/route mode.

    Use interface IP, Config Port: 80
    User Name: netscreen

    IDP files version:
            detector.so     3.0.93716
            engine  3.0.93716
            pcid    3.0.93716
            scio    3.0.93716
  4. Envar commands can also cause out of sync issue. e.g. IP version. Make sure devices in the cluster are both using either IPv6 or non-IPv6. You can determine if it is using IPv6 or any other envar using the command 'get envar' . e.g. check  ipv6=yes in the output below, which means it's using IPv6
    Example:

    nsisg2000(M)-> get envar
    last_reset=2007-01-27 10:50:43 by netscreen
    run_image=default (nsISG2000.5.3.0r6.0)
    loader_version=1.1.5
    sme=
    default_image=nsISG2000.5.3.0r6.0
    ipv6=yes
    .hash-seg=6 (1551171909)

     

    To switch both to non-IPv6, issue the command:
    set envar ipv6=no
    To switch both to IPv6, issue the command:
    set envar ipv6=yes

     
5. Make sure both firewalls in the clsuter have the same set of licenses.

Example:

nsisg2000(M)-> get license-key
vsys_key            : 2B1JS/JMbANul5pe3CmDWJV0/
                      ptdCgJBSm8tO6Lat7VBP9lTnAljuIMhiZ4ZVS9OsBuxQx9z3dN
                      C7CfkuXiU+baARvuixjTarWpB+7OjFwCFEtPWWspbe5cvbR5xt
                      ReLfTChmw3pv4LAMA91MbLuZEOzZDcjNWHOqufhp/
                      tvT5d7EeWcJj6NwH3I1wXWlVfOHyliG/
                      n5Rv7bmVfN6YqCYR48LMd8E5rRIggo7oO7zTbWyLoSjJmEeQ/
                      2mKoTNJiHR+OQCvb9BkyyyjgeOStV1KJkHef8keFkSdqd8Eeh2
                      V2hMMsBoVeLj2TjMy5YV13yXxzyUmQbGKMG+hz74xdnSJA==

advanced_key        : 2iLRxKIYKeVFbwk72KC2tFKhrOVDZpew5dJ7etStB2nf+DyQZL
                      9izkYUW0ZB0mHTxxBp05rngWwrez2cF2mKVtyzM4+xvBiOR1hb
                      CwkX5G6zV0rlw5grd2k2jSfJaZ8HZPrna8hhc81KkQmV9GVS3O
                      3f1iI82HoRL5669XhlwVO25WLpt9x+Jgx+sCy3O6eb0c+/
                      LuDYNFBMP5MAVaLYdN1SLruf0taxbHFMCuhG7HQhege5oL4QYm
                      yweo+wcfW5ThKfrkqAFIExEhFR1rfzsZb742b0+XjWpscjx3Oe
                      iuTocr6AbhortFBCKJzlaWKdGqCf479JnBY1yI7WKC/fbgQ==

Model:              Advanced
Sessions:           524288 sessions
Capacity:           unlimited number of users
NSRP:               ActiveActive
VPN tunnels:        10000 tunnels
Vsys:               50 virtual systems
Vrouters:           53 virtual routers
Zones:              128 zones
VLANs:              1000 vlans
Drp:                Enable
Deep Inspection:    Enable
Deep Inspection Database Expire Date: Disable
Signature pack:     Signature update key is missing
IDP:                Disable
AV:                 Enable(1)
Anti-Spam:          Disable(0)
Url Filtering:      Disable

Update server url: nextwave.netscreen.com/key_retrieval
License key auto update : Disabled
Auto update interval : 0 days


nsisg2000(B)-> get license-key
vsys_key            : sasadsaasdae3CmDWJV0/
                      ptdCgJBSm8tO6Lat7VBP9lTnAljuIMhiZ4ZVS9OsBuxQx9z3dN
                      C7CfkuXiU+baARvuixjTarWpB+7OjFwCFEtPWWspbe5cvbR5xt
                      ReLfTChmw3pv4LAMA91MbLuZEOzZDcjNWHOqufhp/
                      tvT5d7EeWcJj6NwH3I1wXWlVfOHyliG/
                      n5Rv7bmVfN6YqCYR48LMd8E5rRIggo7oO7zTbWyLoSjJmEeQ/
                      2mKoTNJiHR+OQCvb9BkyyyjgeOStV1KJkHef8keFkSdqd8Eeh2
                      V2hMMsBoVeLj2TjMy5YV13yXxzyUmQbGKMG+hz74xdnSJA==

advanced_key        : FRVRSFEDFSACSArOVDZpew5dJ7etStB2nf+DyQZL
                      9izkYUW0ZB0mHTxxBp05rngWwrez2cF2mKVtyzM4+xvBiOR1hb
                      CwkX5G6zV0rlw5grd2k2jSfJaZ8HZPrna8hhc81KkQmV9GVS3O
                      3f1iI82HoRL5669XhlwVO25WLpt9x+Jgx+sCy3O6eb0c+/
                      LuDYNFBMP5MAVaLYdN1SLruf0taxbHFMCuhG7HQhege5oL4QYm
                      yweo+wcfW5ThKfrkqAFIExEhFR1rfzsZb742b0+XjWpscjx3Oe
                      iuTocr6AbhortFBCKJzlaWKdGqCf479JnBY1yI7WKC/fbgQ==

Model:              Advanced
Sessions:           524288 sessions
Capacity:           unlimited number of users
NSRP:               ActiveActive
VPN tunnels:        10000 tunnels
Vsys:               50 virtual systems
Vrouters:           53 virtual routers
Zones:              128 zones
VLANs:              1000 vlans
Drp:                Enable
Deep Inspection:    Enable
Deep Inspection Database Expire Date: Disable
Signature pack:     Signature update key is missing
IDP:                Disable
AV:                 Enable(1)
Anti-Spam:          Disable(0)
Url Filtering:      Disable

Update server url: nextwave.netscreen.com/key_retrieval
License key auto update : Disabled
Auto update interval : 0 days
 

For details on how to apply and remove license from ScreenOS firewall refer to KB4199 - [ScreenOS] How to apply a license key to a NetScreen device via Web management.

The following articles can help with troubleshooting when a NSRP cluster configuration is out of sync:

Modification History:

2018-07-31: Added examples in step 4 and step 5.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search