Smarts IP: Firewall failover is resulting in different interface count for Juniper SRX5600 firewalls
book
Article ID: 331690
calendar_today
Updated On:
Products
VMware Smart Assurance
Issue/Introduction
Symptoms:
Installed two Juniper SRX5600 firewalls. Both are discovered in the topology. The firewall are then configured to be failover of each other, if one fails, the other takes over. Further more, there are two layers of failover configured, a data layer and a configuration layer. What was noticed is that when one firewall is active, the other firewall (inactive) would not have all the objects discovered. For example, the active firewall would have over a hundred interfaces while the inactive would have less than 20 interfaces. However, when the failover status reverses, the opposite is hold true. In order for the change to be reflected in the topology, both devices need a rediscovery to rebuild the objects.
Environment
VMware Smart Assurance - SMARTS
Cause
When the failover occurred at the configuration layer, it changed the snmp data. Then rediscovery occurred, the topology looks different. One can tell from the size of the sm_snmpwalk of the device before and after the failover:
Further look into the mimic file, before failover, there are over one hundred ifType entries. After failover, there are less than ten entries in the ifType table.
When the firewall is set to inactive, this changed the SNMP agent information (reduced) and thus the rediscovery shows less objects. This behavior is normal since the snmp information changed.