Firewall running NSRP is in (I) state. How do I get the firewall out of the (I) state? How do I fix this situation?
If the NSRP monitored objects for device failover exceed the failure threshold, it will result in the device to enter the
Inoperable state. The firewall prompt has a (I) appended to the hostname when it is in the Inoperable state.
NSRP monitored objects include:
- Physical Interfaces
- Zones
- Specific target IP addresses
Run the command '
get nsrp | inc device
' to see which NSRP monitored objects caused the firewall to go into the Inoperable state. Depending on how you configured the weights, it could be more that one object.
Monitoring Physical Interfaces If the monitored physical interface failed, then the
interface is identified as DOWN in the '
get nsrp'
output:
SSG550(I)-> get nsrp | in device
device based nsrp monitoring threshold: 255, weighted sum: 255, failed
device based nsrp monitor interface: ethernet0/0(weight 255, DOWN)
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
For more information on how to fix this condition, see
KB11327.
Monitoring Zones If all the interfaces in the monitored zone are down, then the
zone is identified as DOWN in the '
get nsrp'
output:
SSG550(I)-> get nsrp | in device
device based nsrp monitoring threshold: 255, weighted sum: 255, failed
device based nsrp monitor interface:
device based nsrp monitor zone: Trust(weight 255, DOWN)
device based nsrp track ip: (weight: 255, disabled)
For more information on how to fix this condition, see
KB11331.
Monitoring Specific Target IP Address(es) If the monitored specific target address(es) are unreachable and exceed the failure threshold, then it is identified as FAILED in the
'get nsrp'
output:
SSG550(I)-> get nsrp | in device
device based nsrp monitoring threshold: 255, weighted sum: 255, failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, enabled, failed)
Enter the command '
get nsrp track-ip'
to get more information on the addresses that triggered the failure. For more information on how to fix this condition, refer to
KB11332.
SSG550(I)-> get nsrp track-ip
ip address interval threshold wei interface meth fail-count success-rate
10.1.0.100 1 3 255 auto ping 101 0%
failure weight: 255, threshold: 3, failed: 1 ip(s) failed, weighted sum = 255
SSG550(I)->