Why are the same configuration Items arranged in different orders in the configuration files on the active and standby firewalls

8

The fault usually results from inconsistent initial configurations of the two firewalls. You need to delete the configuration items in different orders and reconfigure them.

You are advised to configure hot standby based on the default settings.

Other related questions:
Why are the session tables on the active and standby firewalls different
Check the status of the heartbeat link. If the heartbeat link fails, the sessions on the active firewall cannot be synchronized to the standby firewall. If the automatic session backup function is disabled, the sessions on the two firewalls are different. Even when the automatic session backup function is enabled, sessions are not synchronized in real time. Only when the sessions to be synchronized are detected by the session aging thread, the sessions are synchronized to the standby firewall. Therefore, established sessions are synchronized to the standby firewall after a period (about 10 seconds). The firewalls do not back up sessions of the following types when the automatic session backup function is enabled: -Sessions to the firewall -Half-open TCP connections -Sessions in which the first packets are UDP packets and subsequent packets are not (such as the BitTorrent packets)

Concepts of configuring active and standby firewalls
On a load balancing network, to enable both devices to work in master state, consider the following issues: How to back up information between the devices? Which commands need to be backed up? Which is the backup direction? To avoid errors during the backup, the USG introduces the concept of designated active and standby devices. The firewall that sends backup configurations is called the designated active device (whose system name starts with "HRP_M"), and the firewall that receives backup configurations is called the designated standby device (whose system name starts with "HRP_S"). A firewall must meet the following requirements to become the designated active device: In the VRRP group, only the firewalls in master state have the chance to be the designated master device. In load balancing mode, the two hot standby USGs are both master devices. In this case, the designated master device is selected according to the priorities of the VRRP groups and the descending order of the real IP addresses of the heartbeat interfaces. The switchover between designated active and standby devices is not implemented unless a fault occurs on the designated active device or the designated active device quits the VRRP group for the stability of the designated active device.

Why are not commands executed on the active firewall synchronized to the standby firewall
If you disable the automatic configuration synchronization function, the configurations are not synchronized. Besides, not all commands can be synchronized. For example, interface and routing configurations cannot be synchronized. For commands that can be synchronized, see Specifications.

Can active and standby U1981 devices use the same license file?
No. The active U1981 device requires an active license and the standby device requires a DR license.

Reason why commands cannot be configured on the standby firewall
After the hot standby relationship is established between two firewalls, commands that can be automatically backed up cannot be manually configured on the standby firewall. Commands configured on the active firewall are automatically synchronized to the standby firewall. To manually configure commands of this type on the standby firewall, cancel the configured automatic backup function (undo hrp auto-sync config) first.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top