Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Can't PING a backup device configured with NSRP

0

0

Article ID: KB11374 KB Last Updated: 29 Dec 2017Version: 12.0
Summary:
The device must be configured in order to PING or manage a backup device of an NSRP cluster. This article describes the required configuration along with troubleshooting commands.
Symptoms:
Symptoms:
  • Can't PING the backup device (of an NSRP pair), when the interface is located in the same zone as the client
    ==> See Scenario-1 in Solution below
  • Can't PING the backup device (of an NSRP pair), when the interface is located in a different zone than the client
    ==> See Scenario-2 in Solution below
Solution:

Network Topology:



 

The Clustered Firewalls, FW-1 and FW-2, are configured as follows:
  • Configured as an Active/Passive NSRP cluster
  • FW-2 is the Backup Firewall
  • Both interfaces on each FW are configured with a manage-ip address
  • Host-A  (IP address 1.1.1.30) is located in the Untrust zone
 
[FW-1]
set interface ethernet0/0 manage-ip 2.2.2.21
set interface ethernet0/1 manage-ip 1.1.1.11
[FW-2]
set interface ethernet0/0 manage-ip 2.2.2.22
set interface ethernet0/1 manage-ip 1.1.1.12
 

Scenario-1:  A client cannot PING the backup firewall, when the target interface is located in the same zone as the client

(Per above diagram, Host-A attempts to PING interface e0/1 of FW-2.)
  1. Confirm the interface manage-ip is set -- Issue the command as shown below:
    FW-2(B)-> get config | include manage-ip
    set interface ethernet0/0 manage-ip 2.2.2.22
    set interface ethernet0/1 manage-ip 1.1.1.12


    If there is no mange-ip on the interface, add a proper manage-ip which must be a unique one in the same subnet of the interface ip address.
  2. Verify the Manage PING option is configured on the Interface  -- Issue the command as shown below:
    FW-2(B)-> get interface e0/1 | include PING
    ping enabled, telnet disabled, SSH disabled, SNMP disabled


    If the ping option is disabled, issue the following command:
            set interface ethernet0/1 manage ping
  3. Review the routing table in both Host-A and Firewall device to confirm it is correct: (The following describes how to view routing entry of a specified IP address.)
    FW-2(B)-> get route ip 1.1.1.30
    Dest for 1.1.1.30
    -----------------------------------------------------------------
    trust-vr: => 1.1.1.10/24 (id=5) via 0.0.0.0 (vr: trust-vr)
                 Interface ethernet0/1 , metric 0


    If the routing entry is not proper, correct it.
  4. Is Host-A in the same or different subnet?
    • If Host-A is in the same subnet with the manage-ip interface. The three steps above are sufficient.
    • If Host-A is in a different subnet, the following command is required.  (See step 2  in Scenario-2 below for more detail.)
      set flow mac-cache mgt


 

Scenario-2:  From a client, I can't PING a backup firewall interface, which is located in a different zone than the client.

(In the diagram in this article, Host-A is trying to PING e0/0 of FW-2.)
  1. Perform Steps 1 - 3 in Scenario-1 above; return when finished.
  2. Check if the flow mac cache mgt option is set:
    FW-2(B)-> get flow | include "MAC cache"
    MAC cache for management traffic: OFF

    This flow option is disabled by default (OFF).  Enable it by executing the following command.
    set flow mac-cache mgt

    The following shows the log from debug flow basic  without and with set flow mac-cache mgt issued.
    • Without set flow mac-cache mgt set
      Note: route failed to 1.1.1.30, nspflag=0x601 is seen in the log.
       
      03949.0: ethernet0/0(i) len=74:0010dbff2000->0017cb403000/0800
                    1.1.1.30 -> 2.2.2.22/1
                    vhl=45, tos=00, id=5879, frag=0000, ttl=127 tlen=60
                    icmp:type=8, code=0
       
      ****** 03949.0: <Trust/ethernet0/0> packet received [60]******
        ipid = 5879(16f7), @1d583114
        packet passed sanity check.
        ethernet0/0:1.1.1.30/27136->2.2.2.22/1024,1(8/0)<Root>
        no session found
        flow_first_sanity_check: in <ethernet0/0>, out <N/A> not ipsec nat pkt.
        existing vector list 20-51d63b0.
         create a self session (flag 0x206), timeout=60sec.
        flow_first_install_session======>
        make_nsp_ready_no_resolve()
        search route to (self, 2.2.2.22->1.1.1.30) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0  no route to (0.0.0.0->1.1.1.30) in vr trust-vr/0
        nsrp msg sent.
        flow got session.
        flow session id 48063
        packet is for self, copy packet to self copy packet to us.
      ****** 03950.0: <Self/self> packet received [60]******
        ipid = 1261(04ed), @02419eb4
      flow_self_vector2: send pack with current vid =0, enc_size:0
        processing packet through normal path.
        packet passed sanity check.
        self:2.2.2.22/1024->1.1.1.30/27136,1(0/0)<Root>
      Not IKE nor NAT-T nor ESP protocol.
        existing session found. sess token 8
        flow got session.
        flow session id 48063
        skip ttl adjust for packet from self.
        prepare route
        search route to (self, 2.2.2.22->1.1.1.30) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0 
        no route to (0.0.0.0->1.1.1.30) in vr trust-vr/0

        route to 0.0.0.0
        route failed to 1.1.1.30, nspflag=0x601
    • With set flow mac-cach mgt set
      Note: packet send out to 0010dbff2000 (cached) through ethernet0/0 is seen in the log.

      04019.0: ethernet0/0(i) len=74:0010dbff2000->0017cb403000/0800
                    1.1.1.30 -> 2.2.2.22/1
                    vhl=45, tos=00, id=6033, frag=0000, ttl=127 tlen=60
                    icmp:type=8, code=0

      ****** 04019.0: <Trust/ethernet0/0> packet received [60]******
        ipid = 6033(1791), @1d554914
        packet passed sanity check.
        ethernet0/0:1.1.1.30/27648->2.2.2.22/1024,1(8/0)<Root>
        no session found
        flow_first_sanity_check: in <ethernet0/0>, out <N/A> not ipsec nat pkt.
        existing vector list 20-51d63b0.
         create a self session (flag 0x206), timeout=60sec.
        flow_first_install_session======>
        cache mac in the session
        make_nsp_ready_no_resolve()
        search route to (self, 2.2.2.22->1.1.1.30) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/0 
        no route to (0.0.0.0->1.1.1.30) in vr trust-vr/0

        nsrp msg sent.
        flow got session.
        flow session id 48060
        packet is for self, copy packet to self copy packet to us.
      ****** 04019.0: <Self/self> packet received [60]******
        ipid = 1263(04ef), @02419eb4
      flow_self_vector2: send pack with current vid =0, enc_size:0
        processing packet through normal path.
        packet passed sanity check.
        self:2.2.2.22/1024->1.1.1.30/27648,1(0/0)<Root>
      Not IKE nor NAT-T nor ESP protocol.
        existing session found. sess token 8
        flow got session.
        flow session id 48060
        skip ttl adjust for packet from self.
        existing vector list 20-51d63b0.
        packet send out to 0010dbff2000 (cached) through ethernet0/0

    NOTE:  set flow mac-cache mgt does not take affect if set arp always-on-dest is configured.
  3. Check that a policy exists to permit the Client IP:
     FW-2(B)-> get policy from untrust to trust
     ID From     To       Src-address  Dst-address  Service              Action State   ASTLCB
      1 Untrust  Trust    Any          Any          PING                 Permit enabled -----X


        If there is not a policy permitting the PING service, add a proper policy to the device:
            set policy from untrust to trust [Host-A] [trust-int-ip] PING permit
Modification History:
2017-12-29: Minor format changes.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search