Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Backup firewall running NSRP is in the (I) Inoperable state due to monitoring "track ip". Check interface manage-ip setting.



Article ID: KB11332 KB Last Updated: 15 Sep 2012Version: 4.0
NSRP is not failing over. "Track-ip" option is set, but manage IP address is not set.


  • Backup firewall running NSRP is in the (I) state, and the firewall is configured to 'monitor track ip'.  How do I get the firewall out of the (I) state? How do I fix this situation?
  • NSRP track-ip trigger didn't failover the device, what should I check?
  • Backup firewall prompt has an (I), which means the Inoperable state

A review of the "get nsrp" output shows the cause as track-ip being "failed":

ns208(I)-> get nsrp
device based nsrp monitoring threshold: 255, weighted sum: 255, failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, enabled, failed)
number of gratuitous arps: 4 (default)
config sync: enabled
track ip: enabled

ns208(I)-> get config | incl nsrp
set nsrp cluster id 7
set nsrp vsd-group id 0 priority 100
set nsrp monitor track-ip ip
set nsrp monitor track-ip ip weight 255

A closer look with "get nsrp track-ip" shows the true reason, "no manage-ip address".

ns208(I)-> get nsrp track-ip
ip address      interval threshold wei  interface  meth fail-count success-rate          1         3 255 auto        ping        794 0% (no manage-ip address)
failure weight: 255, threshold: 255, failed: 1 ip(s) failed, weighted sum = 255


Set the "manage-ip" address on both Primary and Backup devices, so that tracked hosts can be correctly polled regardless of NSRP (VSD) state.  For more information on setting a manage IP address, refer to KB4059.


In NSRP, the Virtual System Interfaces (VSIs) are only operational on the Primary device (and so VSIs on the Backup device are in a logically down state). Without the configuration of manage-ip addresses (which allow access to the device regardless of NSRP state), the pings can only be sent using the VSI address. If the device is the current Primary, then the pings will be sent out successfully; but as Backup, the device will not be able to send any pings because the interface (VSI) is "inactive", and so track-ip will fail.

NSRP "track-ip" functions by polling target hosts with ping packets (or in some instances, ARP packets). A target host is considered failed by a non-response to those ping packets.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search