Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to check if a firewall that is running in the Active/Passive NSRP failed over or changed state?

0

0

Article ID: KB11199 KB Last Updated: 09 Sep 2020Version: 8.0
Summary:
This article provides information on how to check if a firewall, which is running in the Active/Passive NSRP, failed over or has changed its state.
Symptoms:
How to check if a firewall, which is running in the Active/Passive NSRP, failed over or has changed its state?
Solution:
The following list contains various ways to determine if a firewall has failed over or changed its state:
 
  • View the firewall prompt to quickly see the state of the firewall. For more information, refer to KB11377 - How to tell the state of the NSRP device? (M, B, I):
    (M) = Master
    (B) = Backup
    (I) = Inoperable 
  • View the event log via the get event inc local or get event command. Look for messages that indicate the state, to which the firewall has changed:
2008-04-22 16:30:35 system crit  00071  The local device 14827840 in the
                                        Virtual Security Device group (2)
                                        changed state from primary backup to
                                        master, missing master.
  • Look at the interfaces by issuing the get interface command. The interfaces on the master will show the state as U (Up) or A (Active). The interfaces on the backup firewall will show the state as I (Inactive).  This is a confirmation to verify if the interface fail over has been done properly and is displaying the proper status:
SSG550(M)-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD     
eth0/0         192.168.1.1/24                    Trust       0010.dbff.6000    -   D   0 
eth0/1         0.0.0.0/0                         DMZ         0010.dbff.6050    -   D   0 
eth0/2         0.0.0.0/0                         Untrust     0010.dbff.6060    -   U   0 
eth0/3         0.0.0.0/0                         HA          0005.857f.5787    -   U   - 
eth3/0         0.0.0.0/0                         Null        0010.dbff.6080    -   U   0 

 
  • View the NSRP status on both of the firewalls via the get nsrp command. Both of the firewalls should be discovered in the cluster. In the following example, this firewall is the master and the 10923520 unit ID is the backup:
     
    SSG550(M)-> get nsrp
    nsrp version: 2.0

    cluster info:
    cluster id: 3, no name
    local unit id: 8345472
    active units discovered:
    index: 0, unit id:   8345472, ctrl mac: 0005857f5787, data mac: 0005857f5787
    index: 1, unit id:  10923520, ctrl mac: 00121ea6ae07, data mac: 00121ea6ae07
    total number of units: 2

    VSD group info:
    init hold time: 8
    heartbeat lost threshold: 3
    heartbeat interval: 1000(ms)
    master always exist: disabled
    group priority preempt holddown inelig   master       PB other members
        0      100 no             3 no       myself 10923520
    total number of vsd groups: 1
    Total iteration=177074,time=1454663787,max=187722,min=7251,average=8215

    RTO mirror info:
    run time object sync:   disabled
    route synchronization: disabled
    ping session sync: enabled
    coldstart sync done
    nsrp data packet forwarding is enabled

    nsrp link info:
    control   channel: ethernet0/3 (ifnum: 7)  mac: 0005857f5787 state: up
    data      channel: ethernet0/3 (ifnum: 7)  mac: 0005857f5787 state: up
    ha secondary path link not available

    NSRP encryption: disabled
    NSRP authentication: disabled
    device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
    device based nsrp monitor interface:
    device based nsrp monitor zone:
    device based nsrp track ip: (weight: 255, disabled)
    number of gratuitous arps: 4 (default)
    config sync: enabled

    track ip: disabled

     
  • View the NSRP uptime on both of the firewalls via the get nsrp vsd-group id 0 command. Both of the firewalls unit_id will show its state and respective uptime of that state. In the following example, this firewall is the master (4504068) and the 4499588 unit ID is the backup:
SSG550(M)->  get nsrp vsd-group id 0
 
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority  preempt  holddown inelig   master        PB   other members  myself  uptime
    0      100       no         3     no   myself   4499588                          00:09:08
 
vsd group id: 0, member count: 2, master: 4504068
member information:
------------------------------------------------------------------------------------
group  unit_id  state           prio flag rto_peer   hb miss holddown      uptime
------------------------------------------------------------------------------------
    0  4499588  primary backup   100    0        0    1    0        3      00:09:05
    0  4504068  master           100    0        0    0    0        3      00:09:08
Modification History:
2017-12-07: Article reviewed for accuracy. Minor grammatical change done. Article is correct and complete.
2018-12-25: Added information on checking uptime
2020-8-26: Updated affected products

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search