How do I check if HA configurations are in sync? Output of checksum command can be viewed in 'get log sys'.
On either the Master or Backup device, enter the following command to determine if the configurations for a NSRP pair are in sync:
exec nsrp sync global-config check-sum [Enter]
The output is reported on the CONSOLE of the firewall. If no output is returned when you run the command, see the Note below.
If the configurations are out of sync, refer to
KB6351: How do I synchronize configs for NSRP v2? .
NOTE: If you are not connected to the firewall via the console, i.e. if you are connected via Telnet or SSH, then the output of the command can be viewed in
'get db str' or '
get log sys':
Output via TELNET
ns5200(B)-> exec nsrp sync global-config check-sum
ns5200(B)-> get db str
Warning: configuration out of sync
Output via CONSOLE
ns5200(B)-> exec nsrp sync global-config check-sum
ns5200(B)-> Warning: configuration out of sync
nsisg2000(M)-> get log sys
## 2008-03-10 22:47:17 : VSD group (0) change state to Passive
## 2008-03-12 16:00:17 : VSD group (0) change state to Active
## 2008-03-14 15:44:24 : configuration out of sync (local checksum 423391316 !=
remote checksum 108606823)
nsisg2000(M)->
The most recent events are at the bottom of the 'get log sys' output. Confirm the 'Configuration out of sync' or 'Configuration in sync' output with the date that you ran the command.
NOTE: Although the configs are in sync, the sessions and other RTOs (Run Time Objects) may not be in sync. The command ‘set nsrp rto-mirror sync’ should be configured on each of your firewalls to synchronize RTOs (i.e. session table entries, ARP cache entries, DHCP leases, and IPSec security associations etc ). In the event of a failover, it is critical that the current RTOs be maintained by the new primary device to avoid service interruption. The command get nsrp | inc “run time object” will report ‘enabled’ if this command is set.