HA capability of Juniper SSG20 (NSRP)

101001101 · 18 Jun 2012 at 23:28

Hi guys

I currently have 2 x Juniper SSG20's and I want to play around with the HA capability (NSRP?) as I'm thinking of running 2 x BT Infinity lines into my garage, has anyone configured HA on these and if so do you need a specific license for it?

I think my license is the extended license, so it should be good to go (I think):

Sessions: 16064 sessions
Capacity: unlimited number of users
NSRP: ActiveActive <<<<<<<<<<<< this is the bad boy I presume?
VPN tunnels: 40 tunnels
Vsys: None
Vrouters: 4 virtual routers
Zones: 10 zones
VLANs: 50 vlans
Drp: Enable
Deep Inspection: Enable
Deep Inspection Database Expire Date: Disable
Signature pack: Signature update key is missing
IDP: Disable
AV: Disable(0)
Anti-Spam: Disable(0)
Url Filtering: Disable

What's the deal here with NSRP?

Thanks :cool:

Phemo · 19 Jun 2012 at 16:23

Yeah you're fine to go with Active/Passive or Active/Active. If I remember rightly the extended license is required for Active/Active and also for session states to be maintained across a failover. Without the extended license you'd just have NSRP lite which doesn't do this.

Edit: Just checked and actually with the SSG20 you don't get any NSRP capability at all without the extended license

The NSRP lite must only apply to the earlier low-end Netscreens. Just checked on a base license SSG20 laying around here:

Sessions: 8064 sessions
Capacity: unlimited number of users
NSRP: Disable
VPN tunnels: 25 tunnels
Vsys: None
Vrouters: 3 virtual routers
Zones: 8 zones
VLANs: 10 vlans
Drp: Enable
Deep Inspection: Enable
Deep Inspection Database Expire Date: Disable
Signature pack: Signature update key is missing
IDP: Disable
AV: Disable(0)
Anti-Spam: Disable(0)
Url Filtering: Disable
Deep Inspection signature database version is 0.

Nunzio · 19 Jun 2012 at 17:34

Never played with them, but i know the SRX models dont need any extra Licenses.

Good luck tho

Phemo · 19 Jun 2012 at 19:04

Indeed, they changed it with SRX. SRX is certainly fun when doing HA

Netscreen/SSG is simple though. I've got some good guides if needed.

101001101 · 20 Jun 2012 at 14:16

Nice - thanks guys

So for session states to be maintained, does that mean that there is no disconnection / timeout when failing over?

Great to see I got lucky with the extended license then (eBay) as I think its £300 a pop for that!

Phemo, would it be possible to borrow those guides of yours if that is cool with you? that would be handy!

Cheers

Phemo · 20 Jun 2012 at 14:19

Yeah that's right, you'd maybe see a ping or two dropped during a failover but otherwise everything will be fine.

If you drop me an email to my address in trust I'll get it sent over to you