Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] In NSRP Active/Passive environment, how do I perform a device fail over of monitored objects (Interface, Track-IP, and Zone)?

0

0

Article ID: KB11192 KB Last Updated: 11 Sep 2020Version: 4.0
Summary:
In an NSRP Active/Passive configuration, device failover can be triggered by monitoring at least one of three objects--interface, track-ip address, and zone.  For the purpose of troubleshooting, this article describes how to trigger a failover of an NSRP device when monitoring each object.
Symptoms:
Question:
  • How can I manually fail over the master to the backup device?
  • Force a pair of Juniper Firewalls in High Availability (HA) to fail over
  • How can I safely failover to the backup (NSRP)?
An NSRP Active/Passive device can be configured to automatically trigger a firewall (device) failover by monitoring one or more of these three objects:
  • Interface
  • Track IP address
  • Zone
This article describes how to trigger a firewall to failover to the backup, for the purpose of troubleshooting:
  1. How do I execute a failover with Interface monitor?  See Scenario-1 below. 
  2. How do I execute a failover with the Track-IP component?   See Scenario-2 below.
  3. How do I execute a failover with zone monitor? See Scenario-3 below.
Solution:

To verify which 'monitor' objects are configured on your firewall, use one the following commands:

get config | include "nsrp monitor"

OR

get nsrp monitor

For example, the following "nsrp monitor" commands are configured on a firewall:

set nsrp monitor interface ethernet1
set nsrp monitor interface ethernet2
set nsrp monitor track-ip ip
set nsrp monitor track-ip ip 1.1.1.1
set nsrp monitor track-ip ip 2.2.2.2

And the corresponding output with 'get nsrp monitor' is as follows:

device based nsrp monitoring threshold: 255, weighted sum: 510, failed
device based nsrp monitor interface: ethernet1(weight 255, DOWN) ethernet2(weight 255, DOWN)
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, enabled, not failed)

Note: For details configuring NSRP object monitoring, refer to the 'NSRP Object Monitoring to Trigger Failover' section of  the Concept & Examples ScreenOS Reference Guide, High Availability volume.

 

Scenario-1: Interface configured as the monitored target

Layer 2 path monitoring functions by checking that the physical ports are active and connected to other network devices. Failure of a physical interface object occurs when the port is no longer active. In order to execute a failover with Interface Monitoring, perform the following steps:
  1. Before a monitored interface can be failed over, each monitored interface must be specified with the 'set nsrp monitor interface' command.  Verify this command is configured on your firewall: 
    set nsrp monitor interface interface [weight number]

    Example:
    set nsrp monitor interface ethernet0/1

  2. With default value of threshold and weight set to 255, a failover can be caused by only one interface becoming down. This could be tested by either pulling a cable connected to the interface or running the following command.
    set interface ethernet0/1 phy link-down
The command to bring the interface back up later is  unset interface ethernet0/1 phy link-down.



Scenario-2: One or more IP Address configured as the monitored target (track-ip)

In order to execute a failover with Track-IP Monitoring, verify the following steps:
  1. An absolute requirement for track-ip as a monitor object is that a manage-ip must be specified on the outgoing interface to the track-ip address.  This manage-ip must be different and unique for each NSRP interface and device.   Enter the command, get config | inc "manage-ip", and verify the manage-ip address is configured :
    set interface ethernet0/1 manage-ip <IP address>
  2. Enter the command, get config | inc "track-ip", to verify track-ip is enabled.  Look for the following command:
    set nsrp track-ip ip
  3. To verify the current values regarding to track-ip monitor, use the following command:
     
    get nsrp monitor track-ip

    NOTE:  By default, one track-ip has a weight of 1, while the threshold to cause failover by track-ip is 255. Therefore, either one of these two value must be adjusted to cause failover per requirement/design of an user environment.
 To change the weight of one particular track-ip IP address, issue the command:
set nsrp monitor track-ip ip <track-ip address> weight 255
Or optionally, to change the threshold of failover by track-ip, issue the command:
set nsrp monitor track-ip threshold 1

Then in order to execute a failover with Track-IP Monitoring, perform the following steps:
  1. Disconnect the required track-ip hosts/devices from the master device to have the summary-weighted reach the threshold value.
    or
  2. Optionally, should the environment allow, issue a command to remove the manage-ip of an outgoing interface to cause the track-ip target to become unreachable. Or issue a command to remove related routes to the track-ip targets.
 

Scenario-3: Zone(s) configured as the monitored target

For zone monitor to failover, all interfaces in the monitored zone must be down.
  1. To verify membership of each interface,  issue the following command.
    get interface
  2. Verify the status of all interfaces. If one is still Up (U), the monitored zone will not failover the device.

To verify the zone-monitored failover, bring down all member interfaces of the zone by either disconnecting cables or issuing "set interface <name> phy link-down".
Modification History:
2020-09-11: Minor, non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search