Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [ScreenOS] Possible causes for a Firewall running NSRP to be in the (I) Inoperable state

0

0

Article ID: KB11331 KB Last Updated: 06 Apr 2021Version: 7.0
Summary:

This article describes the issue of a the firewall, which is running NSRP, being in the Inoperable (I) state.


Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
Symptoms:
The firewall, which is running NSRP, is in the Inoperable state (I) state and the firewall is configured to monitor the zone.

 When the following commands are run, its output indicate that a monitored zone is down:
get nsrp | inc device or get nsrp monitor
get int
get event
If all the interfaces in the monitored zone are down, then the zone is identified as Down in the output of get nsrp and the weight that is assigned to the zone is added to the weighted sum in the output of get nsrp. If the weighted sum is greater or equal to the device monitoring threshold NSRP will trigger the failover and bring the device to the inoperable state.
 
Note: If all of the devices in a cluster are simultaneously deemed to be in the failed state, a new primary is elected, based on the preempt option and priority values, which are configured for the devices with 'set nsrp vsd-group master-always-exist enabled'. For more information on how master-always-exist works, refer to the following articles:

Example:
In this case, you can see that the monitored zone (Trust) is down and the weight of 255 is added to the weighted sum:
SSG550(I)-> get nsrp | inc device
device based nsrp monitoring threshold: 255, weighted sum: 255, failed
device based nsrp monitor interface:
device based nsrp monitor zone: Trust(weight 255, DOWN)
device based nsrp track ip: (weight: 255, disabled)
SSG550(I)-> 
The get interface command indicates that the e0/0 and e0/1 interfaces are bound to the Trust zone and they are both down, which causes this firewall to go into the Inoperable state:
eth0/0         192.168.1.1/24     Trust       0010.dbff.6000    -   D  
eth0/1         192.168.2.1/24     Trust       0010.dbff.6050    -   D
 
In the output of get nsrp, you can see:
master always exist: disabled
group priority preempt holddown inelig   master       PB other members
    0      100 no             3 no      8347392     none myself(inoperable) 
You can also notice the following messages, which are related to this change, in the event log:
2008-04-09 10:08:56 system crit  00075 The local device 8345472 in the
                                       Virtual Security Device group 0
                                       changed state from primary backup to
                                       inoperable.
2008-04-09 10:08:55 system notif 00513 The physical state of interface
                                       ethernet0/1 has changed to Down.
2008-04-09 10:08:01 system notif 00513 The physical state of interface
                                       ethernet0/0 has changed to Down.      
Solution:
Check the cables that are connected to the interfaces in question (in this case, eth0/0 and eth0/1). Check if the interface is manually shut down on the firewall (in this case, check if the configuration has either the set int ethernet0/0 phy link-down or set int ethernet0/1 phy link-down command).

Also, check the switch and switch ports, to which the interfaces are connected. If the cables are connected, but the interfaces are still down, try using different cables or different ports.  

After bringing up all of the interfaces in the monitored zone , the output of get nsrp will indicate that the monitored zone is Up and the firewall prompt will no longer report that it is Inoperable (I). The output of get nsrp will display the new state of the device:
SSG550(B)-> get nsrp | in device  
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone: Trust(weight 255, UP)
device based nsrp track ip: (weight: 255, disabled)
SSG550(B)-> 
Modification History:
2021-04-06: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives
2019-05-30: Minor, non-technical update.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search