In situations with snmp juniper or IPSec configured, a failover of the juniper nsrp device can mean a disruption in communication for snmp or IPSec.
The basic configuration steps configuration for the configuration following topology are documented in this solution.
By default the ScreenOS sets the priority to 100. .These instructions were performed on a SSG-500. .Configure NTP command, if applicable. .For assistance with configuring a pair of firewalls for nsrp, follow the steps below.Y/n n firewall-B(B)- System reset. .Recommended Configure the nsrp clusters for management by adding a mange-ip on the VSI interface: When configured in the Active/Passive HA setup, there are situations where we need to manage both the Master and Backup firewall at the same time. .Defining a single name for all cluster juniper members allows snmp communication and digital certificates use to be continued without interruption after failover.Important juniper guide : Other, nSRP firewall pairs on the same segment must have a different set of cluster ids.Important: If you are prompted to save the configuration after you enter the reset command, answer n (No). .Firewall-B(B)- Please reset your box to let cluster configuration to take guide effect! Note: Only one digital certificate is required for an nsrp cluster.
Set interface driver ethernet0/4 zone HA, configure the nsrp cluster id: set nsrp cluster id 1, both firewalls in the cluster must have forma the same.
Later if the original Master, Firewall-A (which game has a lower priority and elements preempt configured) recovers, Firewall-A will take back the Master role. .
Then, proceed with the reboot by answering y vinci (Yes).Firewall-A(M)- set interface e0/1 manage-ip On the backup firewall, you can configure IP : firewall-B(B)- set interface e0/1 manage-ip For more information on elements configuring forma a manage IP, see KB4059.Then forma proceed to the next step when ready to configure nsrp.Otherwise, the firewall will go to the (I) Inoperable state; for more information, see KB11327.For more information on assigning the HA ports, refer.Firewall-B(B)- reset firewall-B(B)- Configuration modified. .Start configuring nsrp by c hoosing the interface(s) for.The same concept applies to the other models that support nsrp; the difference being the interface notation or dedicated HA port.
In the event that either one of the interfaces goes down, Firewall-A will initiate a fail over to Firewall-B, and Firewall-B will continue to pass traffic.
Note: Steps 11 and 12 can be performed before step 7, however, juniper ssg 520m configuration guide for simplicity, they are performed at this point.