Smarts IP: Firewall failover is resulting in different interface count for Juniper SRX5600 firewalls
search cancel

Smarts IP: Firewall failover is resulting in different interface count for Juniper SRX5600 firewalls

book

Article ID: 331690

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

Symptoms:


Installed two Juniper SRX5600 firewalls.  Both are discovered in the topology.
The firewall are then configured to be failover of each other, if one fails, the other takes over.
Further more, there are two layers of failover configured, a data layer and a configuration layer.
What was noticed is that when one firewall is active, the other firewall (inactive) would not have all the objects discovered.
For example, the active firewall would have over a hundred interfaces while the inactive would have less than 20 interfaces.
However, when the failover status reverses, the opposite is hold true.
In order for the change to be reflected in the topology, both devices need a rediscovery to  rebuild the objects.

Environment

VMware Smart Assurance - SMARTS

Cause

When the failover occurred at the configuration layer, it changed the snmp data.  Then rediscovery occurred, the topology looks different.
One can tell from the size of the sm_snmpwalk of the device before and after the failover:

AfterFailover.mimic 203579
BeforeFailover.mimic 3913206

Further look into the mimic file, before failover, there are over one hundred ifType entries.
After failover, there are less than ten entries in the ifType table.

 .1.3.6.1.2.1.2.2.1.3.1: 6
 .1.3.6.1.2.1.2.2.1.3.12: 131
 .1.3.6.1.2.1.2.2.1.3.13: 53
 .1.3.6.1.2.1.2.2.1.3.17: 6
 .1.3.6.1.2.1.2.2.1.3.18: 53
 .1.3.6.1.2.1.2.2.1.3.23: 6
 .1.3.6.1.2.1.2.2.1.3.24: 53

Resolution

When the firewall is set to inactive, this changed the SNMP agent information (reduced) and thus the rediscovery shows less objects.
This behavior is normal since the snmp information changed.