Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Can't get firewall out of the 'Ineligible' mode

0

0

Article ID: KB14976 KB Last Updated: 24 Jul 2020Version: 3.0
Summary:
What is the difference between the "exec nsrp vsd-group 0 mode ineligible" command versus the "set nsrp vsd-group id 0 mode ineligible" command to failover an Active/Active NSRP cluster from the command line?
Symptoms:
Customer used the "set nsrp vsd-group id 0 mode ineligible" command on the master device in an Active/Active NSRP cluster, and it forced a failover; this is as-expected.   However, when the customer was ready to bring the ineligible firewall back online, the "exec nsrp vsd-group 0 mode master" command did not work to return it to master. 


 
Solution:
Note:   There are two ways to put a firewall into ineligible mode:
set nsrp vsd-group id <id> mode ineligible
or
exec nsrp vsd-group <id> mode ineligible

The difference being that the first command (using set) specifies that the local device is not intended for failover, even after system restart because the command can be saved in the configuration.  (This may be necessary for administrative reasons.)

If the firewall was put into the ineligible mode using the 'set nsrp vsd-group id <id> mode ineligible' command, then use the "unset nsrp vsd-group id <id> mode" command to make the firewall eligible again.  Depending on the NSRP priority and exempt settings, it can become master again.

If the firewall was put into the ineligible mode using the "exec nsrp vsd-group 0 mode ineligible" command, either the "exec nsrp vsd-group 0 mode master" command or the "unset nsrp vsd-group id 0 mode" command to restore the device to master mode.



For additional information: KB11477 - What is the Ineligible state on a firewall running NSRP? Is it the same as the Inoperable state?
Modification History:
2020-07-24: Fixed broken link.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search