Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

When to use the NSRP commands: preempt, master-always-exist, and ha-link probe

0

0

Article ID: KB14156 KB Last Updated: 28 May 2009Version: 1.0
Summary:
What is the best way to use the following commands: “Preempt”, “master-always exist” and “ha-link probe”
Symptoms:
Pair of NSRP devices is flapping when preempt is set on both the master and backup and they both have the same priority.
Solution:
  • Preempt should only be set on one device in the NSRP cluster, usually the device that you typically want to be the Master.   For more information, refer to KB11373 - How to configure preempt and priority NSRP options. How to force one firewall to be the preferred master.

  • For example:
    On the device you want to be the master, i.e. let's say FW1, set the following commands. With these commands, if FW1 fails, FW2 will take over as the new master.  Then when FW1 recovers, FW1 will take back over control of the cluster:
    FW1> set nsrp vsd-group id 0 preempt
    FW1> set nsrp vsd-group id 0 priority 50. (The priority of the preferred backup should be a higher value, as the lower priority takes precedence.)
  • If you want one device of the cluster to remain up in the event that they both cluster members go to the Inoperable state, set the master-always-exist command.   When you enter this command on the master, it will be automatically sync'd over to the backup firewall.
  • FW1> set nsrp vsd-group master-always-exist
    This command is beneficial if both cluster members are in the Inoperable state because the switch connected to one set of interfaces is down, let's say the DMZ interfaces.  Then traffic between other interface zone can still flow.  However, in the event that the HA links also fail, the devices could become split brain because they cannot see each other.   For more information, refer to KB11292 - How to configure NSRP options: secondary path, hb-interval, auth password, encrypt password, master-always-exist, link-up-on-backup.

    If you want one device of the cluster to remain up in the event that they both cluster members go to the Inoperable state, set the master-always-exist command.   When you enter this command on the master, it will be automatically sync'd over to the backup firewall.

  • For additional configuration and troubleshooting, refer to the NSRP Resolution Guides.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search