Knowledge Search


×
 

[ScreenOS] How can an NSRP cluster be manually failed over from one device to another?

  [KB12558] Show Article Properties


Summary:

This article provides information about the various options that can be used to manually fail over a NSRP firewall cluster from one device to another.

Symptoms:

Information about the various options that can be used to manually fail over a NSRP firewall cluster from one device to another.

Solution:

Option 1 - Force the current master to become the backup:

Use the exec nsrp vsd-group mode backup command. This command must be used on the current Master firewall. It will force the Master to become the Backup, which in turn forces the Backup to become the Master. To restore the previous Master to this state again, repeat the process by using the same command on the new master.

Note: Make sure that the original Master device does not have NSRP preempt enabled; otherwise, it will automatically become the Master again, if the NSRP priority is lower (=better) than the NSRP priority on the other device.

For example:
cluster:nsisg2000(M)-> exec nsrp vsd-group 0 mode backup

inactive
Start deactivate session (vsd=0) ...
7 sessions deactivated

cluster:nsisg2000(B)->

 

Option 2 - Force the current Master to become ineligible:

Use the exec nsrp vsd-group 0 mode ineligible command. This command isolates the firewall from the cluster by keeping it manageable, but not able to pass traffic. For example:
cluster:nsisg2000(M)-> exec nsrp vsd-group <group ID> mode ineligible
To bring the device back into the cluster, the firewall will have to be re-initialized via the following command:
cluster:nsisg2000(I)-> exec nsrp vsd-group <group ID> mode init

 

Option 3 - Interface failure/Track-IP failure:

If the firewall is monitoring an IP address via Track-IP or it is monitoring the status of the firewall interfaces, it is possible to cause a failover by either bringing down a monitored interface or making the Track-IP target unreachable. This will change the NSRP state of the firewall to Inoperable, which forces the primary backup to promote itself to the Master state. It is possible to force an interface to go to the down state, without physically disconnecting it, by using the following command:
 
cluster:nsisg2000(M)-> set interface <interface name> phy link-down
 
To undo this command, use the following command:
 
cluster:nsisg2000(M)-> unset interface <interface name> phy link-down
 
After bringing the interface to the Up state again, the firewall will become the primary backup, if NSRP preempt is not configured on the device.

 

Option 4 - Increase the priority on the backup firewall:

If the cluster is enabled with preempt, increase the priority of backup firewall such that the backup firewall will automatically become the master of the cluster immediately after the NSRP election is completed. It is possible to enable the preempt in the device for which you would like to bring it up as master of the VSD-group. 

To enable the preempt on the backup device :
cluster:nsisg2000(B)-> set nsrp vsd-group <group ID> preempt

To increase the priority of a firewall in a VSD-group :
          
cluster:nsisg2000(B)-> set nsrp vsd-group <group ID>  priority  < number between 0 - 250>

Note: Assign the priority to be a lower value than the priority of the preferred primary backup.
 
Modification History:
2019-05-30: Added Option 4 to solution.
Related Links: