Knowledge Search


How to configure NSRP options: secondary path, hb-interval, auth password, encrypt password, master-always-exist, link-up-on-backup

  [KB11292] Show Article Properties

Configuration steps for NSRP options including: secondary path, hb-interval, auth password, encrypt password, master-always-exist, link-up-on-backup.

Configuration options for NSRP can be confusing. This article sets out to explain the following options and how to enable them.
  • secondary path
  • hb-interval
  • auth password
  • encrypt password
  • master-always-exist
  • link-up-on-backup
The various NSRP options are discussed individually below..


NSRP uses dedicated HA interface(s) to keep in contact with the peer device. In the event that this connectivity is lost (eg. an intermediate switch failure) but the NSRP devices are both still active, then both devices will become Master. This undesirable condition is called “split-brain”. For more information on "split-brain", refer to KB11450.

The secondary-path option allows NSRP to poll the peer via an alternate, non-dedicated interface. The purpose of this option is only to prevent a split-brain scenario, so NSRP sync data is not carried across this link, only heart-beat messages.

CLI: set nsrp secondary-path <interface>

WebUI: Network -> NSRP -> Link, select the interface from the drop-down list for the “Secondary Link” field, then click “Apply”.

Note: The nominated secondary-path interface will need to be in the same broadcast-domain as the peer device.



NSRP “heart-beat” is the mechanism that is used for an NSRP device to monitor the status of an NSRP peer. Heart-beat packets are sent across the HA interface at a time-period equal to the “hb-interval” setting. Modifying the frequency of the heart-beat affects the time it takes for a failure or status change to be detected.

The range of values for the hb-interval setting are 200, 400, 600, 800 or 1000 (msec). The default setting is 1000msec.

CLI: set nsrp vsd-group hb-interval <msec>

WebUI: Not available.



Peer NSRP status changes (eg. “Ineligible” due to a monitored interface being shutdown) are effective immediately, but a non-responsive state (eg. link-failure or device crash) relies on a number of consecutively missed heart-beats (called the “threshold”) for a fail-over to be triggered. The hb-threshold setting modifies that number.

The range of values for the hb-threshold setting is 3-255. The default is 3.

So, with the default configuration of hb-interval and hb-threshold, in the event the Master has failed, the Backup will detect this after 1000msec (hb-interval) x 3 (hb-threshold), or 3 seconds.

CLI: set nsrp vsd-group hb-threshold <num>

WebUI: Not available


auth password

This setting will cause all NSRP messages to be authenticated using the MD5 algorithm. The password entered is used as the authentication-key, therefore it needs to be the same on both peers. The password can be from 1 to 15 characters in length.

CLI: set nsrp auth password <key>

WebUI: Network -> NSRP -> Cluster, check the box for “NSRP Authentication Password” and enter the password/key value. Click “Apply” to confirm.


encrypt password

This option will cause the NSRP messages to be encrypted using the DES algorithm. The password entered is used as the encryption-key; therefore it needs to be the same on both peers.

This option is useful if the “secondary-path” option is configured, because that data is sent across a forwarding (in-band) interface. The password can be from 1 to 15 characters in length.

CLI: set nsrp encrypt password <key>

WebUI: Network -> NSRP -> Cluster, check the box for “NSRP Encryption Password” and enter a password/key value. Click “Apply” to confirm.



If NSRP monitoring is enabled, it may be possible for both NSRP peers to become 'Inoperable' (eg. a target “track-ip” host is shutdown and becomes unreachable by both NSRP peers, or possibly a shared switch to a DMZ zone fails causing interface tracking to trip on both NSRP peers). In that event, all traffic required to cross the cluster would be impacted even though it may only be a portion of the network that is unreachable.

Enabling the master-always-exist option will ensure that the cluster remains available and traffic to flow.

CLI: set nsrp vsd-group master-always-exist

WebUI: Not available.



In an NSRP cluster, the interface status on the Backup device is marked as “inactive”, but the physical link status remains up. This provides several benefits, such as management access to the Backup device (via “manage-ip” addresses); faster failover transition (eg. avoiding Spanning-Tree (STP) delays on neighboring switches), but it is possible this logically inactive state can cause problems on neighboring devices (eg. a directly connected neighbor router, where routes may remain active if the relevant interface is seen as link-up).

As an option to work around any possible network issues, disabling the link-up-on-backup state will cause the inactive interfaces to also be physically “link-down”.

CLI: unset nsrp link-up-on-backup

WebUI: Not available.


Related Links: