show security policies checksum
Syntax
show security policies checksum <logical-system (logical-system name | all)> <root-logical-system> <tenant tenant-name>
Description
Displays the security policy checksum value.
Verifying the checksum helps in validating the security policy sync status between the Routing Engine and the Packet Forwarding Engine. The checksum value should be the same for the Routing Engine and the Packet Forwarding Engine. If the checksum value is not same, then the different values indicates that the security policies on the Routing Engine and the Packet Forwarding Engine are out-of-sync.
The show security policies checksum
command
can only be used to ensure if the security policies are out of sync
but cannot confirm if they are in-sync. Use the request security
policies check
command to get a list of all polices in-sync
and/or out-of-sync.
Use the request security policies resync
command
to synchronize the configuration of security policies in the Routing
Engine and Packet Forwarding Engine.
Options
logical-system (logical-system-name | all) | Displays the security policy checksum value for the security policies configured on a logical system or on all logical systems. |
root-logical-system | Displays the security policy checksum value for the security policies configured on the root logical system. This is the default outcome. |
tenant tenant-name | Displays the security policy checksum value for the security policies configured on a tenant. |
Additional Information
The checksum value is a 32-character hexadecimal number that is computed for the security policy on the device.
Security policies are stored in the routing engine and the packet forwarding engine. Security policies are pushed from the Routing Engine to the Packet Forwarding Engine when you commit configurations. If the security policies on the Routing Engine are out of sync with the Packet Forwarding Engine, the commit of a configuration fails. Core dump files may be generated if the commit is tried repeatedly. The out of sync can be due to:
A policy message from Routing Engine to the Packet Forwarding Engine is lost in transit.
An error with the routing engine, such as a reused policy UID.
When the policy configuration are modified and the policies
are out of sync, the following error message displays - error:
Warning: policy might be out of sync between RE and PFE <SPU-name(s)>.
Please request security policies check/resync
.
Required Privilege Level
view
Sample Output
- show security policies checksum (RE)
- show security policies checksum (PFE)
- show security policies checksum logical-system all
show security policies checksum (RE)
user@host> show security policies checksum Logical system: root-logical-system From zone To zone Checksum trust untrust 0xe0fc5791-d7ec5b89-cbc66724-35d706c
show security policies checksum (PFE)
FLOWD_OCTEON(vty)# show usp policy checksum Logical system: root-logical-system From zone To zone Checksum trust untrust 0xe0fc5791-d7ec5b89-cbc66724-35d706c
show security policies checksum logical-system all
user@host> show security policies checksum logical-system all Logical system: LSYS1 From zone To zone Checksum lsys1-trust lsys1-untrust 0x7ff147ff-f9df0820-081fb02e-226455e3 Logical system: LSYS2 From zone To zone Checksum lsys2-trust lsys2-untrust 0x4bfd47fa-64fbb3e7-3a9444b5-94dd9db5
Release Information
Command introduced in Junos OS Release 18.4R1.