Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...

Peter Van Eeckhoutte's Blog

:: Knowledge is not an object, it´s a flow ::

Home

Login/Register/Logout

Your favorite posts

Articles

Free Tools
AD & CS
AD Disable Users
Certificate List Utility
PVE Find AD User
Exchange Transport Agents
Attachment filter
Attachment rename
Networking
Cisco switch backup utility
Network monitoring with powershell
TCP Ping
PVE POP3 Collector
PVE POP3 Collector on the net
Security Related Tools
pvefindaddr Immunity Dbg PyCommand
All downloads on this blog
Public Files

Forums

Security
Corelan Team Members
Corelan Team Security Advisories
Exploit writing – forum
Exploit writing tutorials
Metasploit
Simple FTP Fuzzer – Metasploit Module
Nessus/Openvas ike-scan wrapper
pvefindaddr.py ImmDbg Plugin
Vulnerability Disclosure Policy
Shellcode to Javascript encoder
ROP Gadgets

Links

Terms of use

1 of 11 10/17/2010 6:22 PM
Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...

Donate

About me
About me
LinkedIn Resume
About you
Corelan public keys

SSL

« Backtrack 4 cheat sheet

Free tool : Find out where your AD Users are logged on into »

You are here :

Blog > 001_Security > Juniper ScreenOS : Active/Passive clustering

Juniper ScreenOS : Active/Passive clustering

July 5th, 2009 | Author: Peter Van Eeckhoutte
Vie we d 8,394 time(s) | Add this post to Your Favorite Posts | Print This Post | This page as PDF (Login first !)

Introduction

In this blog post, I’ll show the easy steps to set up a screenOS based active/passive cluster. I’m not going to
discuss the configuration of active/active clusters because, in my opinion, this configuration is only needed in
rare circumstances and may introduce some weird behaviour issues. Furthermore, active/passive clusters
have been working quite well for me.

These are the main requirements to set up a cluster :

The 2 devices need to be the same model

The 2 devices need to run exactly the same screenOS version (Or you’ll get “configuration out of sync”
messages because the checksums will fail)
The 2 devices need to be connected to each other : You need to have at least one free interface on each
device to interconnect the device (HA link). Use the same interface number on both devices.
It makes no real sense to build a cluster if your switches are not redundant as well. Having a cluster on
one switch will bring some redundancy, but the switch becomes a single point of failure. Just something
to keep in mind.
License : SSG5 devices require an additional license. SSG140 and other models have the NSRP license
included. (check the documentation !). Run “get lic | incl NSRP”. If the output states “NSRP:
Active/Active” then you can set up an Active/Active cluster, and an Active/Passive cluster.

In addition to this, you’ll need additional IP addresses because you will need to set separate management IP
addresses on both devices. This will not only allow you to connect to each device separately, but it is also a
requirement for track-ip (when used) and for the cluster to operate properly. These management IP’s are not

2 of 11 10/17/2010 6:22 PM
Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...

replicated between devices. Login banners are not replicated either.

In fact, I usually put separate management IP’s on every interface that has management enabled. The
interface IP will be the same on each cluster member so you’ll only need one IP per interface.

The procedures below are based on screenOS 6.2, but it should work with earlier versions as well.

Terminology
Before looking at the configuration steps, I need to explain some cluster terminology :

NSRP : Netscreen Redundancy Protocol : This is the protocol used by Netscreen to set up and operate
a cluster
VSD : Virtual Security Device : this is the logical representation of a firewall device. If you set up a
cluster, both devices run the same VSD. This means that they have the same configuration. In a VSD,
only one device actively runs the VSD (=”Master”) (and the other one is the backup). To end users,
traffic always uses the VSD, not one or another physical device.
VSI : Virtual Security Interface : VSI’s overlay physical interfaces so they can move the active VSD
from one device to another.
VSD Group : pair of security devices that are contained in the same VSD.
VSD States : A VSD can be in any of the following states :
Master : this refers to the active node, the device that processes traffic sent to the VSI
Backup : this refers to the passive node. This device monitors the state of the master and takes
over when the master fails
Initial : state of a VSD group member when it is being joined to the VSD group
Ineligible : state assigned by an admin so it cannot particiate in the election process (more info
about this process later)
Inoperable : state of a member that cannot be joinged to the VSD because there is an internal
problem or network connection problem.
Priority & Election : Upon initial NSRP configuration, the VSD group member that has the lowest
(closest to zero) priority number will become the master device. If two devices have the same priority,
the device that has the lowest mac address will win.
Preempt : By default, the master/backup device election is purely based on priorities. But there may be
a reason where you want to control the election. Let’s say the master device goes down. The backup
device takes control. Suppose the master device is broken and you need to replace it (and the
replacement unit has a lower mac address). So you reconfigure the new device with the same VSD
information, same priority. You connect the master device back and all of a sudden both devices have
an empty config. When you put the master device back, with the same priority, and a lower MAC, it
will become master again… But it does not have the config yet. So it pushes its (empty) config to the
other device and the entire cluster is broken. This scenario can be avoided by setting different
priorities, or by manually setting the node that has the entire config to preempt mode. This will ensure
that this node (with preempt enabled) will become the master even if the other node has a lower
priority. So in the scenario where the previous master broke down and was replaced, I would put the
active node (the backup node at that point) in preempt and then reconnect the new node into the
cluster.
The preempt holddown parameter specifies how long a device will wait for another device with higher
priority to assume the master role before it takes over. The default is 3 seconds.
Failover : when the master device goes down, the backup device will send ARP messages from each
VSI to inform the connected switches (Layer 2) about the new location of the VSI MAC address.

3 of 11 10/17/2010 6:22 PM
Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...

Because these ARP messages are not required for address resolution, they are called “gratuitous ARP”
messages. You can control how many ARP packets are sent upon failover.
RTO : Run-Time objects : objects created dynamically in memory (such as session table entries, ARP
cache, DHCP leases, IPSec SA’s). When a failover occurs, the new master needs to maintain these
RTO’s to allow a smooth failover. By default, NSRP cluster members only synchronize sessions. You
can sync the other RTO’s as well, but you should only enable RTO sync when the configurations are in
sync first.
HA link : this connection is used for heartbeat and to synchronize configs, rto’s, … between the
members of the cluster. You can interconnect the devices with a crosscable or with a switch between
the 2 devices. The devices need to be in the same layer 2 network (so you cannot cross a router with a
HA link). It’s recommended to always use a secondary HA interface (which can be a regular firewall
interface that is used for traffic). In normal operations, only the primary HA link is used for heartbeat
and to synchronize RTO’s and config. The secondary is only used for heartbeat (unless the primary HA
link goes down)
HA link protection : you can enable encryption and authentication on the HA link.

When you want to build an A/P cluster, you need a single VSD. With older versions of screenOS, you could
not synchronise dynamic routing between the devices, so you needed to set up a VSD-Less cluster. With
screenOS 6 and up, this is no longer needed. Routing entries (both static and dynamic) can be synchronized
as well. The static routes will simply be put in the RIB as static routes, the dynamic routes will be marked
with a trailing ‘B’ (Backup route). So OSPF routes will be displayed as “OB”, iBGP will be displayed as
“iBB”, eBGP will be displayed as “eBB” and so on

Configuring NSRP Active/Passive

Before looking at the configuration steps, it’s important to know that you can convert a fully working firewall
into a cluster without any downtime. You don’t need to reboot. You just have to make sure all interfaces on
both devices are used for the same zone/link/…

First, pick the interface on both devices to be used as HA link. Let’s say you want to use eth0/6 for HA. So
on both cluster devices, put this interfaces in nsrp mode :



 

(on some devices, you need to put the interface in the HA zone instead : set int e0/6 zone HA)

Set up master device

Next, create the cluster on the first device. We will create a cluster id 1, name it “MyCluster1” and set some
cluster parameters.





























Г

When you enter the “set nsrp cluster id 1”, you will get the message “Unit becomes master of

4 of 11 10/17/2010 6:22 PM
Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...

NSRP vsd-group 0”. The prompt now indicates that the device is master (M)

As soon as you enter the “set nsrp cluster name” command, the command prompt will also
indicate the cluster name. On the master device, the prompt will look like this :

MyCluster1:hostname(M)->

On a backup device, you’ll see MyCluster1:hostname(B)->

The arp, auth and encrypt statements are optional. The “arp” statement refers to the number of
gratuitous arp messages that need to be sent upon failover. The default is 4.

In the current setup, the device can failover when the other device goes down. If you want devices to
failover when interfaces go down, you need to set interface monitoring :



 

This is optional and is only required if you want to do interface based failover. Keep in mind that not just the
interface will failover. The entire device will failover.

Now it’s time to set some VSD specific settings (priority, preempt and preempt holddown). I usually configure
the master device with a priority of 50 and enable preempt :



 



 

Then, enable RTO sync and enable route sync


 



 

Define a secondary interface.




 
 !

Set up backup device

On the backup device, the configuration is pretty much the same, except for the priority and preempt :





























Г



 



 


 



 




 
 !

5 of 11 10/17/2010 6:22 PM
Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...

=> on the backup node, I have set the priority to 100 (higher than the master) and I do not enable preempt.
This will make sure that, if the master goes down (e.g. for maintenance) and comes online again, it will surely
become the master node again.

When the cluster devices are configured, they will start synchronizing information. You can check if the
configurations are in sync by running :

"  #$ %

 
 

 &



Before the cluster is fully in sync, you should force sync, by running (on the backup device !):


"  '#($ %)

&*

  &





 &


+
&*
 &



,
+

 &



,
,



*)
 &

- .

/
%

+

&

#$
 &

#
-
'0!1233-
'0!12$
4
  *5 ,

After the reboot of the passive (backup) device, the cluster is fully operational. Note : when the device
prompts you to save the config, enter “n” (no)

Even if you have create a cluster on an existing device and added a second (new, empty) device
into the cluster, you only have to reboot the passive node (and the active node always stays
online)

When both cluster members are synced ( = when the files are synced), you should enable config sync.


 &


Verify cluster status

You can get some nsrp information with the following commands :

“get nsrp” : shows information about the cluster and cluster nodes, the vsd group, etc :


"  #$ %&




"',


 "

"6
"


"277'27



"
)" 6"277'276
" '''020 2*6


"
)"6"!076
" '!
 !2
6


"

* 
"'

8+9& "
"

6 of 11 10/17/2010 6:22 PM
Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...


*


"0

*

" #
$





)
"

*
&&

(*

  
0
 !07

* 
&
"
:

3!0' !6322'''106
)3'71'63216

&37

4:; "
*5
"
*

<
"
*
&



"
*








- 
&

*


- "

" # " $
" '''020 2*

"



-


*




" !# "2$
" '''020 2

"

=+4"
*
=+4

"
*
*


&
"'6&
" 6

*



" 
*


<"
*



-"#&"'6

*$
* &



"
 &
"
*


-"

*

If you want to see the differences between the 2 nodes, run


"  #$ %

 

 

"  #$ %>

> &> "&
 &



?

  
"

  
"

Test failover

You can test if the cluster works by turning off the master device and wait a couple of seconds (typically 1 or
2 seconds) before the backup becomes master and processes all traffic.

Alternatively, you can perform a manual failover using the following command :

On the master device :

If preempt is enabled, run :

)

 & &*

7 of 11 10/17/2010 6:22 PM
Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...

If preempt is not enabled, run :

)

 & *

-

These commands will force the primary (master) device to step down. The other device will become master
right away

You can verify which one of the devices is master by performing the routines explained at
http://kb.juniper.net/KB11199

Impact of cluster on certificates and snmp

Cluster members can have different hostnames. If digital certificates/snmp settings are configured with
individual hostnames, then communication may break upon a failover. It’s better to set a cluster name for all
members and to use this VSD identity for snmp and digital certificates.

You can set a cluster name with the following command :




@*

=


For snmp, use the cluster name :



@*

=


Also, It is important to install/sync all PKI related components on both devices before installing the cluster, or
you may get “config out of sync” messages. (exec nsrp sync pki…)

See Concepts&Examples PDF [27 MB], page 1864

Check http://kb.juniper.net/KB11326 for more reasons why configurations can get out of sync

© 2007-2009, Peter Van Eeckhoutte. All rights reserved.

(Visited 3,931 times, 6 visits today)

Posted in 001_Security, Juniper, Networking | Tags: arp, backup, backup device, cluster, configuration,
device, devices, eBB, failover, iBB, interface, Juniper, master, master device, mycluster, node, nsrp, OB,
preempt, redundancy, rto, screenos, set, set nsrp, sync, vsd, vsi

Ads by Google Juniper HA Cluster VPN Failover 5GT NS 025B 001

Related Posts:

Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple
OSPF areas and eBGP
Script to backup Cisco switches via telnet / tftp
Fixing Exchange 2007 Offline Address Book generation (oalgen) and distribution issues
Juniper ScreenOS : default route manipulations and redistributions
Juniper ScreenOS : defeating iBGP full mesh requirement using route reflectors and confederations
Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)
Windows XP L2TP over IPSec dialup client VPN to a Juniper ScreenOS firewall, using Certificates

8 of 11 10/17/2010 6:22 PM
Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...

IPSec VPN between Windows Server 2008 and Juniper ScreenOS

Juniper ScreenOS Admin authentication using Windows based IAS (Radius)
Getting connected to the internet over IPv6 using Juniper/screenos

4 Responses to “Juniper ScreenOS : Active/Passive clustering”

dschaap says:
August 24, 2009 at 10:37

Hi Peter,

Helder artikel. Wij zijn recentelijk druk geweest met een dergelijke setup obv SSG-140′s. Wat mij
echter onduidelijk is, wat de voordelen zijn van een Active/Active setup t.o.v. de door jou beschreven
Active/Passive setup. Ik kan daar erg weinig documentatie over vinden, los van de instructie hoe het in
te regelen.
Heb jij daar een idee over?

met vriendelijke groet,

David Schaap
Innosys ICT

Log in to Reply

Peter Van Eeckhoutte says:

August 24, 2009 at 10:42

Hi,

To answer your question “what is the advantage of Active/Active over Active/Passive” : There’s only
one I can think of : load sharing/balancing…

Log in to Reply

umairpb says:
September 15, 2009 at 11:19

Great article. I have tested it & it worked perfectly, now i would really appreciate if you could come up
with Active-Active article as their are many of us getting our heads banged with that. I agree with your
comments “only Load sharing” but again a requirement is a requirement. I have already gone through
the Ch 11, but still confused about redundant interfaces use (which i don’t want to use). Using default
route for router ahead.

Hope to hear on this soon.

Log in to Reply

Peter Van Eeckhoutte says:

9 of 11 10/17/2010 6:22 PM
Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...

September 15, 2009 at 13:01

Hello,

I’ll see if I have some spare time to squeeze in a short tutorial about A/A..
(may take a while as I am finishing some other projects first)

Log in to Reply

Leave a comment
You must be logged in to post a comment.

Search this blog

Actions

Register
Log in
Entries RSS
Comments RSS
WordPress.org

Your profile

Change your profile/password

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team
merchandising store.

My Tweets

In case you missed it : IRC channel #corelan (on freenode) - drop by for a chat or ask questions about
exploit dev / security in general 1 day ago
New IRC channel open for public: #corelan (on freenode) - join us for a chat or ask questions about
exploit dev / security in general 1 day ago
@davehardy20 corelan.be : IP address got changed (first time in 3 years) - I updated DNS, site should
be online soon in reply to davehardy20 1 day ago
@Dinosn pfew :) tx for verifying in reply to Dinosn 1 day ago
@Dinosn some kind of nat or firewall in between msf and client ? in reply to Dinosn 2 days ago
More updates...

Stay posted

10 of 11 10/17/2010 6:22 PM
Juniper ScreenOS : Active/Passive clustering | Peter Van Eeckhoutte's Blog http://www.corelan.be:8800/index.php/2009/07/05/juniper-screenos-acti...

Subscribe to posts via email

Follow me on twitter

Categories

Corelan Security Advisories

Peter Van Eeckhoutte on CORELAN-10-062 - Stack Buffer Overflow in Nuance PDF Reader v6.0
October 8, 2010
Lincoln on CORELAN-10-061 – Integard Home and Pro v2 Remote HTTP Buffer Overflow Exploit
September 7, 2010
Lincoln on CORELAN-10-060 – 123 Flash Chat ver 7.8 August 16, 2010
Sud0 on CORELAN-10-059 – Sopcast Unicode BOF Remote Exploit August 10, 2010
MaRkO T. on CORELAN-10-058 – ActiTime2 0MA CSRF July 11, 2010
MaRkO T. on CORELAN-10-057 – Oracle BPM Process Administrator 5.7-6.0-10.3 MPs XSS July 11,
2010
chap0 on CORELAN-10-056 - Hero DVD Remote Buffer Overflow Exploit July 7, 2010
MaRkO T. on CORELAN-10-055 – MemDb (Multiple Remote Dos) June 28, 2010
chap0 on CORELAN-10-054 - GSM sms Utility SEH Buffer Overflow June 28, 2010
TecR0c on CORELAN-10-053 – FieldNotes 32 v5.00 SEH exploit June 25, 2010

© 2007-2010 Pete r Van Eeckhoutte 's Blog | All Rights Reserved | Terms of use

Your IP address : 110.168.109.241 | 62 queries. 1.871 seconds | www.corelan.be - artemis.corelan.be | Uptime Report

11 of 11 10/17/2010 6:22 PM