Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] How to configure NSRP options: secondary path, hb-interval, auth password, encrypt password, master-always-exist, link-up-on-backup

0

0

Article ID: KB11292 KB Last Updated: 06 Apr 2021Version: 5.0
Summary:
Configuration steps for NSRP options including: secondary path, hb-interval, auth password, encrypt password, master-always-exist, link-up-on-backup.
 
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
Symptoms:
Configuration options for NSRP can be confusing. This article sets out to explain the following options and how to enable them.
  • secondary path
  • hb-interval
  • auth password
  • encrypt password
  • master-always-exist
  • link-up-on-backup
Solution:
The various NSRP options are discussed individually below..

secondary-path

NSRP uses dedicated HA interface(s) to keep in contact with the peer device. In the event that this connectivity is lost (eg. an intermediate switch failure) but the NSRP devices are both still active, then both devices will become Primary. This undesirable condition is called “split-brain”. For more information on "split-brain", refer to KB11450.

The secondary-path option allows NSRP to poll the peer via an alternate, non-dedicated interface. The purpose of this option is only to prevent a split-brain scenario, so NSRP sync data is not carried across this link, only heart-beat messages.

CLI: set nsrp secondary-path <interface>

WebUI: Network -> NSRP -> Link, select the interface from the drop-down list for the “Secondary Link” field, then click “Apply”.

Note: The nominated secondary-path interface will need to be in the same broadcast-domain as the peer device.

 

hb-interval

NSRP “heart-beat” is the mechanism that is used for an NSRP device to monitor the status of an NSRP peer. Heart-beat packets are sent across the HA interface at a time-period equal to the “hb-interval” setting. Modifying the frequency of the heart-beat affects the time it takes for a failure or status change to be detected.

The range of values for the hb-interval setting are 200, 400, 600, 800 or 1000 (msec). The default setting is 1000msec.

CLI: set nsrp vsd-group hb-interval <msec>

WebUI: Not available.

 

hb-threshold

Peer NSRP status changes (eg. “Ineligible” due to a monitored interface being shutdown) are effective immediately, but a non-responsive state (eg. link-failure or device crash) relies on a number of consecutively missed heart-beats (called the “threshold”) for a fail-over to be triggered. The hb-threshold setting modifies that number.

The range of values for the hb-threshold setting is 3-255. The default is 3.

So, with the default configuration of hb-interval and hb-threshold, in the event the Primary has failed, the Backup will detect this after 1000msec (hb-interval) x 3 (hb-threshold), or 3 seconds.

CLI: set nsrp vsd-group hb-threshold <num>

WebUI: Not available

 

auth password

This setting will cause all NSRP messages to be authenticated using the MD5 algorithm. The password entered is used as the authentication-key, therefore it needs to be the same on both peers. The password can be from 1 to 15 characters in length.

CLI: set nsrp auth password <key>

WebUI: Network -> NSRP -> Cluster, check the box for “NSRP Authentication Password” and enter the password/key value. Click “Apply” to confirm.

 

encrypt password

This option will cause the NSRP messages to be encrypted using the DES algorithm. The password entered is used as the encryption-key; therefore it needs to be the same on both peers.

This option is useful if the “secondary-path” option is configured, because that data is sent across a forwarding (in-band) interface. The password can be from 1 to 15 characters in length.

CLI: set nsrp encrypt password <key>

WebUI: Network -> NSRP -> Cluster, check the box for “NSRP Encryption Password” and enter a password/key value. Click “Apply” to confirm.

 

master-always-exist

If NSRP monitoring is enabled, it may be possible for both NSRP peers to become 'Inoperable' (eg. a target “track-ip” host is shutdown and becomes unreachable by both NSRP peers, or possibly a shared switch to a DMZ zone fails causing interface tracking to trip on both NSRP peers). In that event, all traffic required to cross the cluster would be impacted even though it may only be a portion of the network that is unreachable.

Enabling the master-always-exist option will ensure that the cluster remains available and traffic to flow.

CLI: set nsrp vsd-group master-always-exist

WebUI: Not available.

 

link-up-on-backup

In an NSRP cluster, the interface status on the Backup device is marked as “inactive”, but the physical link status remains up. This provides several benefits, such as management access to the Backup device (via “manage-ip” addresses); faster failover transition (eg. avoiding Spanning-Tree (STP) delays on neighboring switches), but it is possible this logically inactive state can cause problems on neighboring devices (eg. a directly connected neighbor router, where routes may remain active if the relevant interface is seen as link-up).

As an option to work around any possible network issues, disabling the link-up-on-backup state will cause the inactive interfaces to also be physically “link-down”.

CLI: unset nsrp link-up-on-backup

WebUI: Not available.

 

Modification History:
2021-04-06: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search