Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] What is the minimum configuration I need to get an NSRP cluster working in VSD-less env?

0

0

Article ID: KB11197 KB Last Updated: 18 Mar 2021Version: 5.0
Summary:
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
Dynamic Routing Considerations with NSRP.  If your Active/Passive firewall is running a Dynamic Routing Protocol (BGP, OSPF, or RIP), you may want to configure an NSRP VSD-less cluster.
Symptoms:

If you are configuring an Active/Passive NSRP pair that is also running a Dynamic Routing Protocol (BGP, OSPF, or RIP), then consider these questions:

  1.  Are you running ScreenOS 6.0 or later OR can you upgrade to ScreenOS 6.0 or later?  
    • Yes - Configure NSRP the common way (with one VSD-Virtual Security Device).  Starting with ScreenOS 6.0, there is a new feature called NSRP Dynamic Route Synchronization. With this feature it is possible to synchronize complete routing protocol information between NSRP peers, whereas in previous ScreenOS versions, only static routes were synched.

      Dynamic Route Sync provides an alternative to VSD-less clusters and reduces the design complexity, as the NSRP backup peer will have complete routing information even though neighborship is not established with upstream/downstream routers, providing no downtime failover until new neighborship is established.

      Go to KB9809 - How to configure NSRP
    • No - Continue to Step 2. 
  2. If a failover occurs, can your environment tolerate the time needed to re-establish adjacencies and learn routes?
    • Yes - Configure NSRP the common way (with one VSD-Virtual Security Device). Go to KB9809 - How to configure NSRP.
    • No  - Consider doing the VSD-less design, which is covered in this article.

VSD-less NSRP clusters are handy when implementing any Dynamic Routing Protocol (BGP, OSPF, or RIP).  VSD-less NSRP clusters separate the failover component of NSRP from session synchronization.  VSD-less NSRP clusters use individual unique interfaces, and will be able to establish adjacencies individually.  This avoids the problem of re-establishing adjacencies when a failover may occur.


Note: There are design considerations in configuring Dynamic Routing Protocols with NSRP.  Juniper recommends contacting Juniper Networks Professional Services to assist with the design.  For more information, refer to Juniper Networks Customer Services.
Solution:
To configure a pair of devices in a VSD-less NSRP cluster, the minimum requirements are the following:
  • Bind the interfaces where the NSRP heartbeats traverses, into the HA functional zone.
  • Define the Cluster ID for the devices in the NSRP pair.
  • Configure the VSD-less cluster.
  • Enable non-VSI session mirroring between the two devices in the NSRP cluster.

For example:
  1. Bind the interface where the NSRP heartbeat traverses in the HA functional zones:
    fw-> set interface ethernet1/7 zone ha
    fw-> set interface ethernet1/8 zone ha
     
  2. Define the cluster id for the devices in the NSRP pair:
    fw-> set nsrp cluster id 1
    fw(B)-> Unit becomes master of NSRP vsd-group 0
    fw(M)->
     
  3. Configure the VSD-less cluster:
    fw(M)-> unset nsrp vsd-group id 0
    fw(B)->

    At this point, both devices in the cluster will be seen as backup (B).
     
  4. Enable non-vsi session mirroring between the two devices in the NSRP cluster:
    fw(B)-> set nsrp rto-mirror session non-vsi
    fw(M)->
     
  5. Define the local interfaces for each device in the NSRP cluster
    fw(M)-> set interface ethernet1/1 ip 1.1.1.1/24
    fw(M)-> set interface ethernet1/3 ip 2.1.1.1/24
    fw(M)-> set interface ethernet1/1 ip 1.1.1.2/24
    fw(M)-> set interface ethernet1/3 ip 2.1.1.2/24

    Both devices in the cluster will now become primary, as-expected.
     
  6. To verify the NSRP VSD-less cluster has been configured, issue the command get nsrp or get nsrp vsd-group:
fw(M)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 12172271
active units discovered:
index: 0, unit id:  12172271, ctrl mac: 0010dbb9bbcd, data mac: 0010dbb9bbce
index: 1, unit id:  12175855, ctrl mac: 0010dbb9c9cd, data mac: 0010dbb9c9ce
total number of units: 2


VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
total number of vsd groups: 0
Total iteration=803,time=577030,max=4371,min=106,average=718

RTO mirror info:
run time object sync:   disabled
ping session sync: enabled
coldstart sync done
nsrp data packet forwarding is enabled

nsrp link info:
control   channel: ethernet1/7 (ifnum: 13)  mac: 0010dbb9bbcd state: up
data      channel: ethernet1/8 (ifnum: 14)  mac: 0010dbb9bbce state: up
ha secondary path link not available

NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled

track ip: disabled
 
Make sure there are 2 units discovered, as shown in italics in the get nsrp output.  Also, the number of VSD groups should be 0.
Modification History:
  • 2021-03-18: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search