< Home

Modifying Configurations on the Active and Standby Devices for Consistency

The configuration consistency check function is used to check whether the key configurations of the active and standby FWs are consistent. If they are inconsistent, change them to the same value to prevent service exceptions after the active/standby switchover.

Prerequisites

The heartbeat interface of the FW has been configured and can communicate with the peer.

Context

The FW checks the consistency of only key configurations. For the configurations to be checked, see Configuration Consistency Check.

Procedure

  1. Enable the configuration consistency check function in the system view and adjust related parameters to detect the configuration inconsistency between the active and standby devices.

    • Configure the active device to periodically initiate consistency check.

      Item

      Command

      Description

      Enable consistency auto-check of configurations on the active and standby devices.

      hrp configuration auto-check enable

      • By default, the auto-check function is enabled. This command supports backup. Therefore, you need to run this command only on the active device.

      Set the interval for consistency auto-check of configurations on the active and standby devices.

      hrp configuration auto-check interval timer-interval

      • By default, the interval for consistency auto-check is 1440 minutes. This command supports backup. Therefore, you need to run this command only on the active device.

      Enable the log and alarm sending functions for the consistency auto-check result of configurations on the active and standby devices.

      hrp configuration auto-check warning enable
      • By default, the log and alarm sending functions are enabled.
      • If the log and alarm sending functions are disabled, no alarm is generated even if the configurations on the active and standby devices are inconsistent.

    • Run the hrp configuration check command to manually trigger the consistency check.

      • Check the consistency of all configurations on the active and standby devices.

        hrp configuration check all

      • Check consistency of module configurations on the active and standby FWs.

        hrp configuration check { acl | acl6 | address-set | audit-policy | auth-policy | bgp | hrp | hash | interface | license | nat-policy | ospf | security-policy | service-set | static-route | traffic-policy | zone } [ verbose ]

  2. Check whether the alarm (HRPI_1.3.6.1.4.1.2011.6.122.51.2.2.4 hwHrpCochk) and log (HRPI/4/COCHK) are displayed on the device. If yes, run the hrp configuration check command to check the configuration consistency. Alternatively, you can run the display hrp configuration check command to view the configuration consistency check result.
  3. If alarms, logs, or commands indicate that the configurations of the active and standby devices are inconsistent, run the hrp sync config command to trigger a batch backup. The configuration is backed up from the device where the hrp sync config command is run to the peer device.
  4. Run the save command on the local device. When the message "Do you want to synchronously save the configuration to the startup saved-configuration file on peer device?" is displayed, select y. The peer device automatically saves the configuration.

    After batch backup, the configuration is saved in the running configuration, not in the configuration file. You need to run the save command to save the configuration to the configuration file.

  5. Manual configuration batch backup cannot ensure that the backup configurations of the two devices are the same. In this case, run the hrp configuration check command to trigger the consistency check based on the feature module names in the alarm and log, run the display hrp configuration check command to check the inconsistent configurations of a specific feature module, and modify the inconsistent configurations based on the command output.

    For feature modules such as policies, address sets, service sets, and OSPF, you can view difference details. However, there are a large number of policies, address sets, service sets, IPv4 ACLs, IPv6 ACLs, OSPF processes, and security zones that can be configured on the device. To prevent the check from occupying system resources and affecting device performance, the system compares the first 20 items of the active and standby devices each time. After eliminating the differences, you can check and eliminate other differences until the configurations of the two devices are consistent. The following table lists the possible output of the detailed configuration differences between the active and standby devices.

    Module

    Detailed Description of Differences

    Policy

    		 
    • [difference-id]Rule configuration-sequence-number "rule-name1" on the active device differs from "rule-name2" on the standby device.

      The active and standby devices compare rule configuration sequence numbers one by one. The message indicates that rule configuration-sequence-number on the active device is different from that on the standby device. The rule names are rule-name1 (active device) and rule-name2 (standby device). If the names of rule-name1 and rule-name2 are different, the rule sequence on the active and standby devices may be different or the rules on one device may be missing. If the names of rule-name1 and rule-name2 are the same, the rule configurations are inconsistent.

    • [difference-id]Rule configuration-sequence-number "rule-name3" on the active device is missing or misplaced on the standby device.

      This message indicates that rule configuration-sequence-number named rule-name3 on the active device does not exist on the standby device. This indicates that the number of rules on the active device is different from that on the standby device. The number of rules on the active device is greater than that on the standby device. As a result, rule-name3 on the active device does not find the matching item on the standby device. To solve this problem, confirm that rule-name3 does not exist on the standby device or rule-name3 is mismatched because other rules are missing.

    • [difference-id]Rule configuration-sequence-number "rule-name4" on the standby device is missing or misplaced on the active device.

      This message indicates that rule configuration-sequence-number named rule-name4 on the standby device does not exist on the active device. This indicates that the number of rules on the active device is different from that on the standby device. The number of rules on the standby device is greater than that on the active device. As a result, rule-name4 on the standby device does not find the matching item on the active device. To solve this problem, confirm that rule-name4 does not exist on the active device or rule-name4 is mismatched because other rules are missing.

    Address set

    		 
    • [difference-id]The address set "address-set-name1" is different.

      This message indicates that the configurations in the address set named address-set-name1 on the active and standby devices are different.

    • [difference-id]The address set "address-set-name2" on the active device is missing on the standby device.

      This message indicates that address set named address-set-name2 on the active device does not exist on the standby device.

    • [difference-id]The address set "address-set-name3" on the standby device is missing on the active device.

      This message indicates that address set named address-set-name3 on the standby device does not exist on the active device.

    Service set

    		 
    • [difference-id]The service set "service-set-name1" is different.

      This message indicates that the configurations in the service set named service-set-name1 on the active and standby devices are different.

    • [difference-id]The service set "service-set-name2" on the active device is missing on the standby device.

      This message indicates that service set named service-set-name2 on the active device does not exist on the standby device.

    • [difference-id]The service set "service-set-name3" on the standby device is missing on the active device.

      This message indicates that service set named service-set-name3 on the standby device does not exist on the active device.

    IPv4 ACL

    		 
    • [difference-id]The IPv4 ACL acl-number1 is different.

      This message indicates that the configurations in the IPv4 ACL acl-number1 on the active and standby devices are different.

    • [difference-id]The IPv4 ACL acl-number2 on the active device is missing on the standby device.

      This message indicates that IPv4 ACL acl-number2 on the active device does not exist on the standby device.

    • [difference-id]The IPv4 ACL acl-number3 on the standby device is missing on the active device.

      This message indicates that IPv4 ACL acl-number3 on the standby device does not exist on the active device.

    IPv6 ACL

    		 
    • [difference-id]The IPv6 ACL ipv6-acl-number1 is different.

      This message indicates that the configurations in the IPv6 ACL ipv6-acl-number1 on the active and standby devices are different.

    • [difference-id]The IPv6 ACL ipv6-acl-number2 on the active device is missing on the standby device.

      This message indicates that IPv6 ACL ipv6-acl-number2 on the active device does not exist on the standby device.

    • [difference-id]The IPv6 ACL ipv6-acl-number3 on the standby device is missing on the active device.

      This message indicates that IPv6 ACL ipv6-acl-number3 on the standby device does not exist on the active device.

    Interface

    		 
    • [difference-id]interface-name1: This interface does not exist on the local device.

      This message indicates that the interface-name1 on the peer device does not exist on the local device.

    • [difference-id]interface-name2: This interface does not exist on the peer device.

      This message indicates that the interface-name2 on the local device does not exist on the peer device.

    • [difference-id]interface-name3: The number of VRRP groups configured on the local interface is consistent with that on the peer interface.

      This message indicates that the number of VRRP groups configured on the same interfaces interface-name3 is consistent.

    • [difference-id]interface-name4: The number of IPv4 addresses configured on the local interface is consistent with that on the peer interface.

      This message indicates that the number of IPv4 addresses configured on the same interfaces interface-name4 is consistent.

    • [difference-id]interface-name5: The OSPF network type configuration on the local interface is consistent with that on the peer interface.

      This message indicates that the ospf network-type configuration on the same interfaces interface-name5 is consistent.

    • [difference-id]interface-name6: An IPSec policy is applied on one interface but not on the other interface.

      This message indicates that the IPSec policy configuration on the same interfaces interface-name6 is consistent. The system only check whether the IPSec policy is applied to the interfaces. The contents of the IPSec policy are not checked.

    Security zone

    		 
    • [difference-id]The configuration of zone "zone-name1" with ID zone-id1 on the active device is different from that on the standby device.

      This message indicates that the configuration of the security zone zone-name1 with the zone ID zone-id1 on the active device is different from that on the standby device.

    • [difference-id]The configuration of zone "zone-name2" with ID zone-id2 on the standby device is different from that on the active device.

      This message indicates that the configuration of the security zone zone-name2 with the zone ID zone-id2 on the standby device is different from that on the active device.

    • [difference-id]Zone "zone-name3" with ID zone-id3 on the active device does not exist.

      This message indicates that the security zone zone-name3 with the zone ID zone-id3 does not exist on the active device.

    • [difference-id]Zone "zone-name4" with ID zone-id4 on the standby device does not exist.

      This message indicates that the security zone zone-name4 with the zone ID zone-id4 does not exist on the standby device.

    OSPF

    		 
    • [difference-id]OSPF process-id1 is missing on peer device.

      This message indicates that OSPF process-id1 on the local device does not exist on the peer device.

    • [difference-id]OSPF process-id2 is missing on local device.

      This message indicates that OSPF process-id2 on the peer device does not exist on the local device.

    • [difference-id]OSPF process-id3 on local device differs from the one on peer device.

      This message indicates that the configurations in the OSPF process-id3 on the active and standby devices are different.

Parent Topic: Maintaining Hot Standby
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic