KB Home KB Home Back to answers Back to Answers Back to all Knowledge Base Browse Knowledge Base Categories Printer Friendly Version Printer Friendly

Verifying NSRP Active-Active Status
Knowledge Base ID: KB7840
Version: 3.0
Published: 07 Oct 2008
Updated: 07 Oct 2008
Categories: . NS-204
. NS-208
. NS-500
. ScreenOS
. NSRP

Summary:

Setting up NSRP Active-Active.  How to determine if the cluster is actually in an Active-Active environment, as opposed to an Active-Passive, or split brain environment.

Problem or Goal:
When fail-over occurs, some packet drops are experienced, even though the cluster is configured as an active-active nsrp cluster.

Solution:

To check the status of an NSRP active-active cluster, you can issue the command, 'get nsrp'.  A successful NSRP configuration will have the following output:

C2-09(M)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 3513520
active units discovered:
index: 0, unit id:   3513520, ctrl mac: 0010db359cba, data mac: 0010db359cbb
index: 1, unit id:   3515616, ctrl mac: 0010db35a4ea, data mac: 0010db35a4eb
total number of units: 2

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0        1 yes            1 no       myself  3515616
    1      100 no             2 no      3515616   myself
total number of vsd groups: 2
Total iteration=23469,time=540006250,max=55388,min=8950,average=23009

RTO mirror info:
--- more ---
run time object sync:   enabled
ping session sync: enabled
coldstart sync done
nsrp data packet forwarding is enabled

nsrp link info:
control   channel: ethernet7 (ifnum: 10)  mac: 0010db359cba state: up
data      channel: ethernet8 (ifnum: 11)  mac: 0010db359cbb state: up
ha secondary path link not available

NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled

track ip: disabled

Notice that the for VSD 0, the output states master as 'myself', and for VSD 1, master is 3515616.  Also, VSD 0 is configured with priority 1, and VSD 1 is configured for priority 100.  This means VSD 0 is the preferred VSD for this device.  If the output has VSD 0 and VSD 1 displaying "master"  for both, then there is a configuration problem. 

Under NSRP link info, you should see an active control and data channel.  If you do not have an active data channel, either the link on that interface is bad, or you did not configure 2 interfaces for HA zone.

On NS-208, you will need to bind 2 interfaces to the HA zone in order to make active-active NSRP to work.  Otherwise, you may run into a split-brain situation when fail-over occurs.

If the HA link between the two devices goes through a switch, you will also need to apply an additional command:

set nsrp ha-link probe

Purpose:
Configuration

ASK THE KB
Question or KB ID:



RELATED TOPICS