In an NSRP Active/Passive configuration, device failover can be triggered by monitoring at least one of three objects--interface, track-ip address, and zone. For the purpose of troubleshooting, this article describes how to trigger a failover of an NSRP device when monitoring each object.
Question:
- How can I manually fail over the primary to the backup device?
- Force a pair of Juniper Firewalls in High Availability (HA) to fail over
- How can I safely failover to the backup (NSRP)?
An NSRP Active/Passive device can be configured to automatically trigger a firewall (device) failover by monitoring one or more of these three objects:
- Interface
- Track IP address
- Zone
This article describes how to trigger a firewall to failover to the backup, for the purpose of troubleshooting:
- How do I execute a failover with Interface monitor? See Scenario-1 below.
- How do I execute a failover with the Track-IP component? See Scenario-2 below.
- How do I execute a failover with zone monitor? See Scenario-3 below.
To verify which 'monitor' objects are configured on your firewall, use one the following commands:
get config | include "nsrp monitor"
OR
get nsrp monitor
For example, the following "nsrp monitor" commands are configured on a firewall:
set nsrp monitor interface ethernet1
set nsrp monitor interface ethernet2
set nsrp monitor track-ip ip
set nsrp monitor track-ip ip 1.1.1.1
set nsrp monitor track-ip ip 2.2.2.2
And the corresponding output with 'get nsrp monitor' is as follows:
device based nsrp monitoring threshold: 255, weighted sum: 510, failed
device based nsrp monitor interface: ethernet1(weight 255, DOWN) ethernet2(weight 255, DOWN)
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, enabled, not failed)
Note: For details configuring NSRP object monitoring, refer to the 'NSRP Object Monitoring to Trigger Failover' section of the Concept & Examples ScreenOS Reference Guide, High Availability volume.
Scenario-1: Interface configured as the monitored target
Layer 2 path monitoring functions by checking that the physical ports are active and connected to other network devices. Failure of a physical interface object occurs when the port is no longer active. In order to execute a failover with Interface Monitoring, perform the following steps:
- Before a monitored interface can be failed over, each monitored interface must be specified with the '
set nsrp monitor interface' command. Verify this command is configured on your firewall:
set nsrp monitor interface interface [weight number]
Example:
set nsrp monitor interface ethernet0/1
- With default value of threshold and weight set to 255, a failover can be caused by only one interface becoming down. This could be tested by either pulling a cable connected to the interface or running the following command.
set interface ethernet0/1 phy link-down
The command to bring the interface back up later is unset interface ethernet0/1 phy link-down.
Scenario-2: One or more IP Address configured as the monitored target (track-ip)
In order to execute a failover with Track-IP Monitoring, verify the following steps:
- An absolute requirement for track-ip as a monitor object is that a manage-ip must be specified on the outgoing interface to the track-ip address. This manage-ip must be different and unique for each NSRP interface and device. Enter the command,
get config | inc "manage-ip", and verify the manage-ip address is configured :
set interface ethernet0/1 manage-ip <IP address>
- Enter the command,
get config | inc "track-ip", to verify track-ip is enabled. Look for the following command:
set nsrp track-ip ip
- To verify the current values regarding to track-ip monitor, use the following command:
get nsrp monitor track-ip
NOTE: By default, one track-ip has a weight of 1, while the threshold to cause failover by track-ip is 255. Therefore, either one of these two value must be adjusted to cause failover per requirement/design of an user environment.
To change the weight of one particular track-ip IP address, issue the command:
set nsrp monitor track-ip ip <track-ip address> weight 255
Or optionally, to change the threshold of failover by track-ip, issue the command:
set nsrp monitor track-ip threshold 1
Then in order to execute a failover with Track-IP Monitoring, perform the following steps:
- Disconnect the required track-ip hosts/devices from the primary device to have the summary-weighted reach the threshold value.
or
- Optionally, should the environment allow, issue a command to remove the manage-ip of an outgoing interface to cause the track-ip target to become unreachable. Or issue a command to remove related routes to the track-ip targets.
Scenario-3: Zone(s) configured as the monitored target
For zone monitor to failover, all interfaces in the monitored zone must be down.
- To verify membership of each interface, issue the following command.
get interface
- Verify the status of all interfaces. If one is still Up (U), the monitored zone will not failover the device.
To verify the zone-monitored failover, bring down all member interfaces of the zone by either disconnecting cables or issuing
"set interface <name> phy link-down".