Juniper SRX in a cluster, after re-ordering some security policies on the primary device and committing them , now can not make any other changes without the warning
error: Policy is out of sync between RE and PFE cluster1.node1. Please resync before commit. error: configuration check-out failed.
The out-of-sync can be due to:
•A policy message from RE to PFE is lost.
•Something went wrong on the RE, such as a policy uid being re-used.
How to check if there is a out-of-sync issue?
The issue can be due to an attempt being made to change the policy configuration, when the policies are already out of sync between the RE and PFE(s).
To check if the out-of-sync issue has occurred, compare the checksum value of the following commands:
On the RE:
user@SRX>show security policies checksum > Hidden command; has to be typed completely The output of the above command provides a Checksum value: Logical system: root-logical-system From zone To zone Checksum untrust trust 0xe0fc5791-d7ec5b89-cbc66724-35d706c1
On each PFE (FWDD in branch and XLR in HE):
user@SRX>start shell < For branch SRX devices user % vty fwdd FLOWD_OCTEON( vty)# show usp policy checksum The output of the above command provides a Checksum value: Logical system: root-logical-system From zone To zone checksum untrust trust 0xe0fc5791-d7ec5b89-cbc66724-35d706c1 Important: The Checksum on the RE and PFE must be the same.
If it is indeed the PFE out of Sync you might also try the hidden command ‘commit full‘ or ‘commit synchronize force ‘
The command to attempt a resync manually which can fix the issue in some cases:
# run request pfe execute command “test usp policy resync lsys-name root-logical-system 0 0” target fwdd