Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Firewall cannot recognize peer device in NSRP cluster

0

0

Article ID: KB14055 KB Last Updated: 17 Dec 2013Version: 5.0
Summary:

The firewall device cannot recognize its peer device in an NSRP cluster. Two solutions are offered.

Symptoms:

The devices cannot recognize each other in an NSRP cluster.  Both devices are Primary, so the firewalls are in a 'split-brain' state.

The command debug nsrp all on both devices reports the following output:

"diff version(0), drop it" on firewall A
"diff version(3), drop it" on firewall B

Cause:

Solution:

The firewall has a limitation on nsrp-max-cluster and nsrp-max-vsd environment variables.  All devices in one broadcast domain should be set with same values to have NSRP communication between the devices.

In addition, in one broadcast domain, devices cannot have some devices in traditional mode (cluster 8 and VSD 8) and other devices using the NSRP environment variable. 
For example:

FW_A(M)-> get envar
default_image=screenos_image
loader_version=1.0.3
max-frame=9830
nsrp-max-cluster=64               <- Firewall A has NSRP max cluster configured
run_image=default (screenos_image)

FW_B(M)-> get envar
default_image=screenos_image
loader_version=1.0.3
max-frame-size=9830

For more information on the NSRP environment variables, refer to KB11150 - Virtual MAC (VMAC) address for HA pair when using nsrp-max-cluster and nsrp-max-vsd variables or the Concepts & Examples ScreenOS Reference Guide - Volume 11 - High Availability.


There are two solutions for this issue, but only one of them can be used:

Solution 1:  On firewall B

set envar nsrp-max-cluster=64
save
reset


In real time, the above problem is more likely to be encountered in a situation where one of the NSRP Cluster members was replaced (RMAed). After putting in the replacement device, physical connectivity was done, required licenses/old working configuration was loaded, however devices are still not able to see each other in NSRP cluster. The reason is that when you copy the old configuration, envar variables do not get copied, as they are not part of the configuration .So, you have to explicitly set the envar variables on the replaced device as in the case above .

Solution 2:  On firewall A

unset envar nsrp-max-cluster
save
reset





Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search