Memorise

Configuring NSRP clusters for failover between Juniper SSG 140

This config assumes that you are using ports 0/8 and 0/9 for trust and untrust.  Plus you need to define 2 HA ports as well to connect the firewalls heartbeat and session information I used ports 0/0 and 0/1.

 

SSG1

set interface “ethernet0/0” zone “HA”
set interface “ethernet0/1” zone “HA”
set nsrp cluster id 1
set nsrp cluster name Cluster
set nsrp rto-mirror sync
set nsrp vsd-group master-always-exist
set nsrp vsd-group id 0 priority 100
set nsrp arp 20
set nsrp secondary-path ethernet0/8
set nsrp monitor interface ethernet0/8
set nsrp monitor interface ethernet0/9

 

SSG2

set interface “ethernet0/0” zone “HA”
set interface “ethernet0/1” zone “HA”
set nsrp cluster id 1
set nsrp cluster name Cluster
set nsrp rto-mirror sync
set nsrp vsd-group master-always-exist
set nsrp vsd-group id 0 priority 150
set nsrp arp 20
set nsrp secondary-path ethernet0/8
set nsrp monitor interface ethernet0/8
set nsrp monitor interface ethernet0/9

 

If you have backup firewall that not in sync for few days or was switched off then to sync logon to firewall and type

exec nsrp sync global-config save

Reboot the backup firewall to bring the config to sync, you should see message as below.

Cluster:SSG140(B)-> exec nsrp sync global-config save
Cluster:SSG140(B)-> load peer system config to save
Save global configuration successfully.
Continue to save local configurations ... Save local configuration successfully.
done.
Please reset your box to let cluster configuration take effect!

Under certain conditions, the failure of NSRP monitored objects can cause both devices in a cluster to become inoperable. A CLI command is available to ensure one device is still elected as master and can forward traffic.

set nsrp vsd-group master-always-exist

also check the link for more info
http://kb.juniper.net/InfoCenter/index?page=content&id=KB11331

Categorised as: Juniper


Leave a Reply