Juniper SRX240 Clustering – Policy out of sync

juniper-srx

I have two Juniper SRX240's in a cluster. After re-ordering some security policies on the primary device and committing them ok I now can not make any other changes without the warning

error: Policy is out of sync between RE and PFE cluster1.node1. Please resync before commit.

error: configuration check-out failed

I have found this KB article http://kb.juniper.net/InfoCenter/index?page=content&id=KB25143&smlogin=true and I have rebooted both of the nodes (multiple times now) and they are still out of sync.

I found out about a command "commit synchronize force" but that won't work on a SRX 240.

Does anyone know how I can force a resync of these two devices? They are currently live so I can't keep rebooting them in the middle of the day.

I am running version: JUNOS 12.1R6.5

Best Answer

You description is implying the issue is between the primary and secondary nodes, but the article is referencing an out of sync between the Control Plane and Data Plane ( or Routing Engine and Packet Forwarding Engine.

If it is indeed the PFE out of Sync you might also try the hidden command 'commit full'.

I know I had an issue where my 2 routing engines were out of sync. I don't recall if it was on a cluster SRX or something like a VC switch or dual RE router. In my case it was because I had issued a 'commit confirmed' and let the timer expire. The backup RE was out of sync. I had to log into the backup RE and manually do a 'rollback 1' to get them back in sync.

Related Solutions

How to log out of state sessions on Juniper SRX platform

Packets should be classified regardless of the TCP handshake being watched or not. If there isn't a session defined for that flow (fast path) a new one should be created (first path).

Do you have any screen configured?? Maybe it's the screen that's dropping the traffic.

More details on Troubleshooting Traffic Flows and Session Establishment

Maybe you can configure a log file with traceoptions:

security {
  flow {
        traceoptions {
            file trace_file;
            flag basic-datapath;
            packet-filter Match {
                protocol tcp;
                source-prefix <source-ip>;
                destination-prefix <dest-ip>;
                destination-port <tcp-port>;
            }
        }
    }
}

Beware of these traces, since it can cause high CPU load on the SRX if it's carrying a lot of traffic. Limit the filter as much as possible and run it during a maintenance window.

Juniper SRX240H loses connectivity to upstream router

Here's some version info that should help. I think that the other thing that immediately strikes me is autonegotiation being disabled, which shouldn't be necessary. Is this something that your provider is asking for, or based on learned behaviors? I recommend reading what's out there, since autonegotiation has been recommended for over 10 years. Anything you're connecting to should work fine with it as well (the last time I had issues was on a 3500XL - we're talking ooooold). Check out:

http://etherealmind.com/ethernet-autonegotiation-works-why-how-standard-should-be-set/

First off, Junos 11.4R7.5 is the supported release recommended for SRX240, as of 8 April 2013, per JTAC (since you mentioned versions).

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21476 (need login)

Also, JTAC recommends EEOL releases on SRX or J Series for IPsec features (may or may not apply, but FYI). (For me, the only releases available for SRX240H on juniper.net are 10.4, 11.4, and 12.1 - that may help set your expectations on what to run.)

http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2013-01-822&actionBtn=Search (need login)

You are also running a version that was released before the malformed TCP vulnerability came out. I shudder to think that a live exploit exists, but you definitely need to be on versions that were published around January or February 2013, or later. The versions you need for 11.2 are 11.2R5.5 or 11.2R7.5 (or higher)

http://osvdb.org/89751

I mentioned versions because the SRX is a 'rapidly evolving' platform as well, and anecdotal evidence and hearsay suggests that you'll want to upgrade more frequently.

Best Answer

Related Solutions

How to log out of state sessions on Juniper SRX platform

Juniper SRX240H loses connectivity to upstream router

Related Topic