Juniper Clustering : Policy out of syn

Juniper SRX in a cluster, after re-ordering some security policies on the primary device and committing them , now can not make any other changes without the warning

The out-of-sync can be due to:
•A policy message from RE to PFE is lost.
•Something went wrong on the RE, such as a policy uid being re-used.

How to check if there is a out-of-sync issue?
The issue can be due to an attempt being made to change the policy configuration, when the policies are already out of sync between the RE and PFE(s).

To check if the out-of-sync issue has occurred, compare the checksum value of the following commands:

On the RE:

On each PFE (FWDD in branch and XLR in HE):

If it is indeed the PFE out of Sync you might also try the hidden command ‘commit full‘ or ‘commit synchronize force ‘

The command to attempt a resync manually which can fix the issue in some cases:
# run request pfe execute command “test usp policy resync lsys-name root-logical-system 0 0” target fwdd

About the author

James Palmer

Leave a Comment