Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How can an NSRP cluster be manually failed over from one device to another?



Article ID: KB12558 KB Last Updated: 30 May 2019Version: 4.0

This article provides information about the various options that can be used to manually fail over a NSRP firewall cluster from one device to another.


Information about the various options that can be used to manually fail over a NSRP firewall cluster from one device to another.


Option 1 - Force the current primary to become the backup:

Use the exec nsrp vsd-group mode backup command. This command must be used on the current Primary firewall. It will force the Primary to become the Backup, which in turn forces the Backup to become the Primary. To restore the previous Primary to this state again, repeat the process by using the same command on the new primary.

Note: Make sure that the original Primary device does not have NSRP preempt enabled; otherwise, it will automatically become the Primary again, if the NSRP priority is lower (=better) than the NSRP priority on the other device.

For example:
cluster:nsisg2000(M)-> exec nsrp vsd-group 0 mode backup

Start deactivate session (vsd=0) ...
7 sessions deactivated



Option 2 - Force the current Primary to become ineligible:

Use the exec nsrp vsd-group 0 mode ineligible command. This command isolates the firewall from the cluster by keeping it manageable, but not able to pass traffic. For example:
cluster:nsisg2000(M)-> exec nsrp vsd-group <group ID> mode ineligible
To bring the device back into the cluster, the firewall will have to be re-initialized via the following command:
cluster:nsisg2000(I)-> exec nsrp vsd-group <group ID> mode init


Option 3 - Interface failure/Track-IP failure:

If the firewall is monitoring an IP address via Track-IP or it is monitoring the status of the firewall interfaces, it is possible to cause a failover by either bringing down a monitored interface or making the Track-IP target unreachable. This will change the NSRP state of the firewall to Inoperable, which forces the primary backup to promote itself to the Primary state. It is possible to force an interface to go to the down state, without physically disconnecting it, by using the following command:
cluster:nsisg2000(M)-> set interface <interface name> phy link-down
To undo this command, use the following command:
cluster:nsisg2000(M)-> unset interface <interface name> phy link-down
After bringing the interface to the Up state again, the firewall will become the primary backup, if NSRP preempt is not configured on the device.


Option 4 - Increase the priority on the backup firewall:

If the cluster is enabled with preempt, increase the priority of backup firewall such that the backup firewall will automatically become the Primary of the cluster immediately after the NSRP election is completed. It is possible to enable the preempt in the device for which you would like to bring it up as Primary of the VSD-group. 

To enable the preempt on the backup device :
cluster:nsisg2000(B)-> set nsrp vsd-group <group ID> preempt

To increase the priority of a firewall in a VSD-group :
cluster:nsisg2000(B)-> set nsrp vsd-group <group ID>  priority  < number between 0 - 250>

Note: Assign the priority to be a lower value than the priority of the preferred primary backup.
Modification History:
2019-05-30: Added Option 4 to solution.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search