security-policy synchronization failed

Publication Date:  2016-10-30 Views:  183 Downloads:  0
Issue Description

Even HA was configured on both firewall the security policy is not synchronizing between master and standby. Firewall version is V100R001C30SPC600.


Alarm Information

When customer add a security policy on the master firewall, the policy is not sync to the standby.

Handling Process

1. By default the standby firewall is not enabled to synchronize the configuration from the master, we need first to enable this function.

2. VRRP must be enabled to trigger HRP tracking.


Root Cause

1. According to below output standby configuration is not enabled.

<HWFWC001-Node1>display hrp standby config state
12:58:17  2016/10/12
The firewall standby config switch is off.


<HWFWC001-Node2>display hrp standby config state
12:59:37  2016/10/12
The firewall standby config switch is off.


2. Checking the HRP groups I see that there are both active and standby in initialize state, there is no master and standby.

=====================================================
  ===============display hrp group===============
=====================================================
11:09:58  2016/10/13
Active group status:
   Group enabled:         no
   State:                 initialize
   Priority running:      65001
   Total VRRP members:    0
   Hello interval(ms):    1000
   Preempt enabled:       yes
   Preempt delay(s):      60
   Tcp check delay(s):    0
   Peer group available:  0
   Peer's member same:    yes
Standby group status:
   Group enabled:         no
   State:                 initialize
   Priority running:      65000
   Total VRRP members:    0
   Hello interval(ms):    1000
   Preempt enabled:       yes
   Preempt delay(s):      0
   Tcp check delay(s):    0
   Peer group available:  0
   Peer's member same:    yes



Solution

1. Activate configuration sync on standby firewall

# Allow configuring the standby device.

<sysname> system-view
[sysname] hrp standby config enable


2. The configuration doesn’t have VRRP protocol enabled. VRRP must be configured in order to trigger HRP tracking system. Currently both systems are in initializing state and there is no master and standby. Normally the command should display an device in Active or Standby while the other should be in initialize state.

=====================================================
  ===============display hrp group===============
=====================================================
11:09:58  2016/10/13
Active group status:
   Group enabled:         no
   State:                 initialize
   Priority running:      65001
   Total VRRP members:    0
   Hello interval(ms):    1000
   Preempt enabled:       yes
   Preempt delay(s):      60
   Tcp check delay(s):    0
   Peer group available:  0
   Peer's member same:    yes
Standby group status:
   Group enabled:         no
   State:                 initialize
   Priority running:      65000
   Total VRRP members:    0
   Hello interval(ms):    1000
   Preempt enabled:       yes
   Preempt delay(s):      0
   Tcp check delay(s):    0
   Peer group available:  0
   Peer's member same:    yes

It’s require to enable VRRP for one of the LAN connecting the firewalls. I will copy a configuration example from documentation which will tell you how to configure VRRP.

http://support.huawei.com/ehedex/pages/DOC1000094253DED0820M/10/DOC1000094253DED0820M/10/resources/case/sec_eudemon_ag_ha_0057.html?ft=0&id=sec_ngfw_case_0054


Suggestions
none

END