Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Firewall running NSRP is in the (I) Inoperable state. How do I check what triggered it to this state and how do I fix it?

0

0
Article ID: KB11338 KB Last Updated: 21 Feb 2013Version: 5.0 Summary:
Firewall running NSRP is in (I) state.  How do I get the firewall out of the (I) state? How do I fix this situation?
Symptoms:
Symptoms:
  • Backup firewall running NSRP is in (I) state. How do I check what triggered it?  How do I get the firewall out of the (I) state? How do I fix this situation?
  • Firewall prompt has an (I) at end
 
Cause:

Solution:
If the NSRP monitored objects for device failover exceed the failure threshold, it will result in the device to enter the Inoperable state.  The firewall prompt has a (I) appended to the hostname when it is in the Inoperable state. 

NSRP monitored objects include:
  •  Physical Interfaces
  •  Zones
  •  Specific target IP addresses
Run the command 'get nsrp | inc device'  to see which NSRP monitored objects caused the firewall to go into the Inoperable state.  Depending on how you configured the weights, it could be more that one object.


Monitoring Physical Interfaces
If the monitored physical interface failed, then the interface is identified as DOWN in the 'get nsrp' output:

SSG550(I)-> get nsrp | in device 
device based nsrp monitoring threshold: 255, weighted sum: 255, failed
device based nsrp monitor interface: ethernet0/0(weight 255, DOWN)
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)

For more information on how to fix this condition, see KB11327.


Monitoring Zones
If all the interfaces in the monitored zone are down, then the zone is identified as DOWN in the 'get nsrp' output:

SSG550(I)-> get nsrp | in device
device based nsrp monitoring threshold: 255, weighted sum: 255, failed
device based nsrp monitor interface:
device based nsrp monitor zone: Trust(weight 255, DOWN)
device based nsrp track ip: (weight: 255, disabled)

For more information on how to fix this condition, see KB11331.


Monitoring Specific Target IP Address(es)
If the monitored specific target address(es) are unreachable and exceed the failure threshold, then it is identified as FAILED in the 'get nsrp' output:

SSG550(I)-> get nsrp | in device
device based nsrp monitoring threshold: 255, weighted sum: 255, failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, enabled, failed)

Enter the command 'get nsrp track-ip' to get more information on the addresses that triggered the failure.  For more information on how to fix this condition, refer to KB11332.
SSG550(I)-> get nsrp track-ip  
ip address      interval threshold wei  interface  meth fail-count success-rate
10.1.0.100             1         3 255 auto        ping        101 0%
failure weight: 255, threshold: 3, failed: 1 ip(s) failed, weighted sum = 255
SSG550(I)->
 

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search