Hello Y'all, I am quite new to Juniper and just learning the ropes.
I am hoping someone can help out. I am trying to configure NSRP on 2 SSG5's in an active/passive cluster.
The set up is such that each SSG5 is connected to a different ISP for failover in the event of downtime experienced on the primary link.
I have installed the extended licenses on the two firewalls and both are active.
The problem I am having is that to get the config in sync, I do "exec nsrp sync global-config save" to get a config synchronization, I notice that all the config of the first SSG is copied on the second firewall or vice versa even though this command is only issued on the second SSG.
This includes IP addresses, DNS configuration, even MIP etc. gets copied such that both have the same configuration. I have read on one of the threads that its is not possible to configure active/passive cluster using two different ISP's because VSI's are created for both the trust and untrust interfaces.
Could this be a reason why I am getting this? Any pointers in the right direction would be most appreciated.
I would also like to know if the way I have set up the firewalls is in line with best practices or not.
I have set int eth0/0 as the untrust interface I have set int eth0/2 as the trust interface but I have been advised to leave this as part of bgroup0 and assigned the ip address meant for the interfaces to bgroup0 I have set int eth0/6 as the ha link on both firewalls.
I have added the nsrp config for both firewalls below.
Firewall 1.
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt
set nsrp interface bgroup0
set nsrp monitor interface bgroup0
set nsrp monitor interface ethernet0/0
set nsrp ha-link probe
Firewall2
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group id 0 priority 100
set nsrp interface bgroup0
set nsrp monitor interface ethernet0/0
set nsrp monitor interface bgroup0
set nsrp ha-link probe.
Thanks
#Active-PassiveCluster#NSRP