This article provides information on how to check if a firewall, which is running in the Active/Passive NSRP, failed over or has changed its state.
 

---

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.

How to check if a firewall, which is running in the Active/Passive NSRP, failed over or has changed its state?

The following list contains various ways to determine if a firewall has failed over or changed its state:
 

• View the firewall prompt to quickly see the state of the firewall. For more information, refer to KB11377 - How to tell the state of the NSRP device? (M, B, I):

  (M) = Primary
(B) = Backup
(I) = Inoperable 

• View the event log via the get event inc local or get event command. Look for messages that indicate the state, to which the firewall has changed:

• Look at the interfaces by issuing the get interface command. The interfaces on the primary will show the state as U (Up) or A (Active). The interfaces on the backup firewall will show the state as I (Inactive).  This is a confirmation to verify if the interface fail over has been done properly and is displaying the proper status:

SSG550(M)-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD     
eth0/0         192.168.1.1/24                    Trust       0010.dbff.6000    -   D   0 
eth0/1         0.0.0.0/0                         DMZ         0010.dbff.6050    -   D   0 
eth0/2         0.0.0.0/0                         Untrust     0010.dbff.6060    -   U   0 
eth0/3         0.0.0.0/0                         HA          0005.857f.5787    -   U   - 
eth3/0         0.0.0.0/0                         Null        0010.dbff.6080    -   U   0 
 

• View the NSRP status on both of the firewalls via the get nsrp command. Both of the firewalls should be discovered in the cluster. In the following example, this firewall is the primary and the 10923520 unit ID is the backup:
   
  SSG550(M)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 3, no name
local unit id: 8345472
active units discovered:
index: 0, unit id:   8345472, ctrl mac: 0005857f5787, data mac: 0005857f5787
index: 1, unit id:  10923520, ctrl mac: 00121ea6ae07, data mac: 00121ea6ae07
total number of units: 2

VSD group info:
init hold time: 8
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0      100 no             3 no       myself 10923520
total number of vsd groups: 1
Total iteration=177074,time=1454663787,max=187722,min=7251,average=8215

RTO mirror info:
run time object sync:   disabled
route synchronization: disabled
ping session sync: enabled
coldstart sync done
nsrp data packet forwarding is enabled

nsrp link info:
control   channel: ethernet0/3 (ifnum: 7)  mac: 0005857f5787 state: up
data      channel: ethernet0/3 (ifnum: 7)  mac: 0005857f5787 state: up
ha secondary path link not available

NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled

track ip: disabled
   

• View the NSRP uptime on both of the firewalls via the get nsrp vsd-group id 0 command. Both of the firewalls unit_id will show its state and respective uptime of that state. In the following example, this firewall is the primary (4504068) and the 4499588 unit ID is the backup:

SSG550(M)->  get nsrp vsd-group id 0
 
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority  preempt  holddown inelig   master        PB   other members  myself  uptime
    0      100       no         3     no   myself   4499588                          00:09:08
 
vsd group id: 0, member count: 2, master: 4504068
member information:
------------------------------------------------------------------------------------
group  unit_id  state           prio flag rto_peer   hb miss holddown      uptime
------------------------------------------------------------------------------------
    0  4499588  primary backup   100    0        0    1    0        3      00:09:05
    0  4504068  master           100    0        0    0    0        3      00:09:08

2021-03-23: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives.
2020-8-26: Updated affected products
2018-12-25: Added information on checking uptime
2017-12-07: Article reviewed for accuracy. Minor grammatical change done. Article is correct and complete.