Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] When to use the NSRP commands: preempt, master-always-exist, and ha-link probe

0

0

Article ID: KB14156 KB Last Updated: 29 Mar 2021Version: 2.0
Summary:
What is the best way to use the following commands: “Preempt”, “master-always exist” and “ha-link probe”
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
Symptoms:
Pair of NSRP devices is flapping when preempt is set on both the primary and backup and they both have the same priority.
Solution:
  • Preempt should only be set on one device in the NSRP cluster, usually the device that you typically want to be the Primary.   For more information, refer to KB11373 - How to configure preempt and priority NSRP options. How to force one firewall to be the preferred primary.

  • For example:
    On the device you want to be the primary, i.e. let's say FW1, set the following commands. With these commands, if FW1 fails, FW2 will take over as the new primary.  Then when FW1 recovers, FW1 will take back over control of the cluster:
    FW1> set nsrp vsd-group id 0 preempt
    FW1> set nsrp vsd-group id 0 priority 50. (The priority of the preferred backup should be a higher value, as the lower priority takes precedence.)
FW1> set nsrp vsd-group master-always-exist
  • If you want one device of the cluster to remain up in the event that they both cluster members go to the Inoperable state, set the master-always-exist command.   When you enter this command on the primary, it will be automatically sync'd over to the backup firewall.
  • This command is beneficial if both cluster members are in the Inoperable state because the switch connected to one set of interfaces is down, let's say the DMZ interfaces.  Then traffic between other interface zone can still flow.  However, in the event that the HA links also fail, the devices could become split brain because they cannot see each other.   For more information, refer to KB11292 - How to configure NSRP options: secondary path, hb-interval, auth password, encrypt password, master-always-exist, link-up-on-backup.

    If you want one device of the cluster to remain up in the event that they both cluster members go to the Inoperable state, set the master-always-exist command.   When you enter this command on the primary, it will be automatically sync'd over to the backup firewall.


  •  
Modification History:
2021-03-24: ‚Äč: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search