Why are not commands executed on the active firewall synchronized to the standby firewall

5

If you disable the automatic configuration synchronization function, the configurations are not synchronized. Besides, not all commands can be synchronized. For example, interface and routing configurations cannot be synchronized.
For commands that can be synchronized, see Specifications.

Other related questions:
Why are the session tables on the active and standby firewalls different
Check the status of the heartbeat link. If the heartbeat link fails, the sessions on the active firewall cannot be synchronized to the standby firewall. If the automatic session backup function is disabled, the sessions on the two firewalls are different. Even when the automatic session backup function is enabled, sessions are not synchronized in real time. Only when the sessions to be synchronized are detected by the session aging thread, the sessions are synchronized to the standby firewall. Therefore, established sessions are synchronized to the standby firewall after a period (about 10 seconds). The firewalls do not back up sessions of the following types when the automatic session backup function is enabled: -Sessions to the firewall -Half-open TCP connections -Sessions in which the first packets are UDP packets and subsequent packets are not (such as the BitTorrent packets)

Reason why commands cannot be configured on the standby firewall
After the hot standby relationship is established between two firewalls, commands that can be automatically backed up cannot be manually configured on the standby firewall. Commands configured on the active firewall are automatically synchronized to the standby firewall. To manually configure commands of this type on the standby firewall, cancel the configured automatic backup function (undo hrp auto-sync config) first.

Why cannot I run commands on the standby firewall
After the active/standby status is set up on the two firewalls, you can run the commands that can be automatically synchronized only on the active firewall, not on the standby firewall. To manually run these commands on the standby firewall, run the undo hrp auto-sync config command to disable the automatic synchronization function.

Why does the active firewall require a longer preemption delay than that on the standby firewall
Preemption starts after the original active firewall recovers. If the preemption delay of the active firewall is too shorter than that on the standby firewall, the active firewall may switch status before the session entries on the standby firewall are completely synchronized to the active firewall. As a result, some services may be interrupted. Therefore, the active firewall requires a longer preemption delay. Preemption does not start after the standby firewall recovers. Therefore, preemption delay is meaningless for the standby firewall and you can use the default preemption delay.

Testing the active/standby firewall switchover
The priority of the VGMP group on the USG cannot be manually changed. To implement active/backup switchover, disable the interface with the VRRP group configured and lower the priority of the VGMP group on the active firewall. If services are available on the live network and the service interface cannot be disabled, run the hrp track master command on the interface in Down state and lower the priority of the VGMP group on the active firewall to trigger active/backup switchover.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top