Configuring NSRP clusters for failover between Juniper SSG 140
This config assumes that you are using ports 0/8 and 0/9 for trust and untrust. Plus you need to define 2 HA ports as well to connect the firewalls heartbeat and session information I used ports 0/0 and 0/1.
SSG1
set interface “ethernet0/0” zone “HA”
set interface “ethernet0/1” zone “HA”
set nsrp cluster id 1
set nsrp cluster name Cluster
set nsrp rto-mirror sync
set nsrp vsd-group master-always-exist
set nsrp vsd-group id 0 priority 100
set nsrp arp 20
set nsrp secondary-path ethernet0/8
set nsrp monitor interface ethernet0/8
set nsrp monitor interface ethernet0/9
SSG2
set interface “ethernet0/0” zone “HA”
set interface “ethernet0/1” zone “HA”
set nsrp cluster id 1
set nsrp cluster name Cluster
set nsrp rto-mirror sync
set nsrp vsd-group master-always-exist
set nsrp vsd-group id 0 priority 150
set nsrp arp 20
set nsrp secondary-path ethernet0/8
set nsrp monitor interface ethernet0/8
set nsrp monitor interface ethernet0/9
If you have backup firewall that not in sync for few days or was switched off then to sync logon to firewall and type
exec nsrp sync global-config save
Reboot the backup firewall to bring the config to sync, you should see message as below.
Cluster:SSG140(B)-> exec nsrp sync global-config save Cluster:SSG140(B)-> load peer system config to save Save global configuration successfully. Continue to save local configurations ... Save local configuration successfully. done. Please reset your box to let cluster configuration take effect!
Under certain conditions, the failure of NSRP monitored objects can cause both devices in a cluster to become inoperable. A CLI command is available to ensure one device is still elected as master and can forward traffic.
set nsrp vsd-group master-always-exist also check the link for more info http://kb.juniper.net/InfoCenter/index?page=content&id=KB11331
Categorised as: Juniper
Leave a Reply
You must be logged in to post a comment.