【现象】
USG6300E V600R007C20SPC300 双机热备,日志提示主备防火墙配置不一致,原因为秘钥不一致。怀疑是RSA秘钥不一致。
Oct 7 2021 11:52:21+08:00 USG6300E_A %HRPI/4/COCHK(l)[2]:The configurations between active and standby device is different(The key pairs of the active and standby devices are inconsistent(VsysID = 0). To solve this problem, run the pki rsa local-key-pair backup all-sys and pki certificate backup all-sys commands.).
【排查过程】
在主机上执行pki rsa local-key-pair match-slave命令,比较双机热备状态下主备设备所有RSA密钥对是否一致
HRP_M[USG6300E_A] pki rsa local-key-pair match-slave
Info: Obtaining RSA key pair from the standby device, please wait.
Error: The RSA key pair on the standby device is not the same as that on the active device. //报错表示主备rsa秘钥不一致
HRP_M[USG6300E_A]
【解决方法】
在主机上执行:pki rsa local-key-pair backup 命令,然后再查pki rsa local-key-pair match-slave,正常
HRP_M[USG6300E_A] pki rsa local-key-pair backup //将主设备上所有的RSA密钥对批量备份到备设备
Info: Sending start info to standby device.
Info: Backing up all RSA key pairs to standby device.
Info: Waitting for backup result.
Info: RSA key pair backup succeeded. //提示RSA key同步成功
HRP_M[USG6300E_A] pki rsa local-key-pair match-slave //重新比较
Info: Obtaining RSA key pair from the standby device, please wait.
Info: All RSA key pairs are the same . //现在提示是相同的,没有报错,表示RSA的秘钥已经一致
HRP_M[USG6300E_A]