This article provides information on how to check if a firewall, which is running in the Active/Passive NSRP, failed over or has changed its state.
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).
Refer to
End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
How to check if a firewall, which is running in the Active/Passive NSRP, failed over or has changed its state?
The following list contains various ways to determine if a firewall has failed over or changed its state:
- View the firewall prompt to quickly see the state of the firewall. For more information, refer to KB11377 - How to tell the state of the NSRP device? (M, B, I):
(M) = Primary
(B) = Backup
(I) = Inoperable
- View the event log via the get event inc local or get event command. Look for messages that indicate the state, to which the firewall has changed:
2008-04-22 16:30:35 system crit 00071 The local device 14827840 in the
Virtual Security Device group (2)
changed state from primary backup to
master, missing master.
- Look at the interfaces by issuing the get interface command. The interfaces on the primary will show the state as U (Up) or A (Active). The interfaces on the backup firewall will show the state as I (Inactive). This is a confirmation to verify if the interface fail over has been done properly and is displaying the proper status:
SSG550(M)-> get int
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth0/0 192.168.1.1/24 Trust 0010.dbff.6000 - D 0
eth0/1 0.0.0.0/0 DMZ 0010.dbff.6050 - D 0
eth0/2 0.0.0.0/0 Untrust 0010.dbff.6060 - U 0
eth0/3 0.0.0.0/0 HA 0005.857f.5787 - U -
eth3/0 0.0.0.0/0 Null 0010.dbff.6080 - U 0
- View the NSRP status on both of the firewalls via the get nsrp command. Both of the firewalls should be discovered in the cluster. In the following example, this firewall is the primary and the 10923520 unit ID is the backup:
SSG550(M)-> get nsrp
nsrp version: 2.0
cluster info:
cluster id: 3, no name
local unit id: 8345472
active units discovered:
index: 0, unit id: 8345472, ctrl mac: 0005857f5787, data mac: 0005857f5787
index: 1, unit id: 10923520, ctrl mac: 00121ea6ae07, data mac: 00121ea6ae07
total number of units: 2
VSD group info:
init hold time: 8
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 100 no 3 no myself 10923520
total number of vsd groups: 1
Total iteration=177074,time=1454663787,max=187722,min=7251,average=8215
RTO mirror info:
run time object sync: disabled
route synchronization: disabled
ping session sync: enabled
coldstart sync done
nsrp data packet forwarding is enabled
nsrp link info:
control channel: ethernet0/3 (ifnum: 7) mac: 0005857f5787 state: up
data channel: ethernet0/3 (ifnum: 7) mac: 0005857f5787 state: up
ha secondary path link not available
NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled
track ip: disabled
- View the NSRP uptime on both of the firewalls via the get nsrp vsd-group id 0 command. Both of the firewalls unit_id will show its state and respective uptime of that state. In the following example, this firewall is the primary (4504068) and the 4499588 unit ID is the backup:
SSG550(M)-> get nsrp vsd-group id 0
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members myself uptime
0 100 no 3 no myself 4499588 00:09:08
vsd group id: 0, member count: 2, master: 4504068
member information:
------------------------------------------------------------------------------------
group unit_id state prio flag rto_peer hb miss holddown uptime
------------------------------------------------------------------------------------
0 4499588 primary backup 100 0 0 1 0 3 00:09:05
0 4504068 master 100 0 0 0 0 3 00:09:08
2021-03-23: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives.
2020-8-26: Updated affected products
2018-12-25: Added information on checking uptime
2017-12-07: Article reviewed for accuracy. Minor grammatical change done. Article is correct and complete.