Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Only one node of NSRP Active/Active cluster is receiving routes via OSPF

0

0

Article ID: KB15026 KB Last Updated: 23 Jun 2010Version: 2.0
Summary:
Only one node of NSRP Active/Active cluster is receiving routes from the same OSPF neighbor.
Symptoms:

Problem Description:

NSRP Active/Active cluster with 2 nodes:  FW_1 and FW_2.
Only FW_2 is learning a route from OSPF neighbor, which is located in the same subnet as both NSRP nodes.

Configuration of FW_1:
Primary of VSD group 1
IP address on ethernet0/0:1 - 192.168.100.10/24
OSPF area 0.0.0.0
Configuration of FW_2:
Primary of VSD group 2
IP address on ethernet0/0:2 - 192.168.100.20/24
OSPF area 0.0.0.0
Configuration of Router_X: 192.168.100.50/24, OSPF area 0.0.0.0

FW_1 output of command "get route protocol ospf" shows:
FW1(M)-> get route protocol ospf
 IPv4 Dest-Routes for <untrust-vr> (0 entries)
 --------------------------------------------------------------------------------------

 H: Host C: Connected S: Static A: Auto-Exported
  I: Imported R: RIP P: Permanent D: Auto-Discovered

 N: NHRP
 iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
 E2: OSPF external type 2 trailing B: backup route
 
 IPv4 Dest-Routes for <trust-vr> (174 entries)
 --------------------------------------------------------------------------------------
 ID IP-Prefix Interface Gateway P Pref Mtr Vsys
 --------------------------------------------------------------------------------------
Total number of ospf routes: 0

FW_2 output of command "get route protocol ospf" shows:
FW2(M)-> get route protocol ospf

IPv4 Dest-Routes for <untrust-vr> (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1
E2: OSPF external type 2 trailing B: backup route

IPv4 Dest-Routes for <trust-vr> (175 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
--------------------------------------------------------------------------------------
1839 0.0.0.0/0 eth0/0:1 192.168.100.50 O 60 101 Root

Total number of ospf routes: 1

Only FW_2 is able to learn this default route via OSPF, and FW_1 will lose connectivity. Both firewalls have FULL Adjacency with Router_X from correct VSI.
Solution:
Check OSPF neighbors on "Router_X". Most likely, output will be similar to this:
--- JUNOS 9.3R3.8 built 2009-05-12 22:35:00 UTC
Router_X> show ospf neighbor
Address                Interface       State       ID                       Pri       Dead
192.168.100.10     ae0.95        Full       172.16.171.5     1          31
192.168.100.20     ae0.95        Full       172.16.171.5     1          34

Router_X has both NSRP nodes (the one from VSD group 1 with IP 192.168.100.10, and the one from VSD group 2 with IP 192.168.100.20) in FULL Adjacency state, but with the same router-id. This will happen because both nodes in NSRP A/A cluster will share configuration and perform config sync (if config sync is enabled, which is common). This will lead for all IP addresses on all interfaces to be configured with the same values on both NSRP nodes of the cluster.
By default, OSPF will chose highest IP address from an active physical interface, to be used as router-id, at the moment OSPF was enabled. This can lead to problems as router-id MUST be unique for every device in the network that is actively performing OSPF routing.

To resolve this problem, it is necessary to change router-id on one or both nodes to be unique for each device, as both NSRP A/A nodes are actively using OSPF. This will help to differentiate both nodes of NSRP cluster. After this change, Router_X  will update both NSRP nodes with the correct routes.

!!! Important !!! To change the router-id, all routing processes that are currently running on NSRP cluster must be stopped.  BGP, OSPF and PIM use the router-id for its fundamental function.
> unset vrouter <vr> protocol ospf enable  
> unset vrouter <vr> protocol bgp enable
> unset vrouter <vr> protocol pim enable

Then, change the router-id to a unique value: 
> set vrouter <vr> router-id 172.16.0.1
* ROUTER-ID configuration command is not included in the NSRP Config Sync process


Then restart OSPF again (and other protocols like BGP)
> set vrouter <vr> protocol ospf enable
> set vrouter <vr> protocol bgp enable
> set vrouter <vr> protocol pim enable


Now, Router_X should have following neighbors:
--- JUNOS 9.3R3.8 built 2009-05-12 22:35:00 UTC
Router_X> show ospf neighbor
Address               Interface      State         ID                   Pri      Dead
192.168.100.10    ae0.95        Full    172.16.0.1           1         31
192.168.100.20    ae0.95        Full    172.16.171.5      1         34
And both nodes of NSRP cluster will learn about 0.0.0.0/0 via OSPF from active VSI.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search