Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] NSRP Secondary Link is not working on Aggregate interface that is in the Null zone

0

0

Article ID: KB15846 KB Last Updated: 29 Mar 2021Version: 2.0
Summary:
NSRP Secondary Link is not working on Aggregate interface that is in the Null zone.
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
Symptoms:
Debugs show that heartbeat packets are being sent out secondary link, but the peer is not seeing them.  NSRP peers are in split-brain condition.
Solution:
NSRP Secondary Link is supported on an Aggregate Interface but the interface must be assigned to a zone. If the interface is not in a zone, when the two HA links go down the NSRP peering will fail. The "debug NSRP all" shows that both sides send the heartbeat messages but neither side receives them. Once a zone is added to the interface, the debugs show that both sides start working and can send and receive the heartbeat messages.
 

Example of when it fails:

get int agg1
Interface aggregate1(VSI):
description aggregate1
number 45, if_info 1474200, if_index 0
link inactive, phy-link up/full-duplex/auto
Aggregate port has 2 members: ethernet1/1; ethernet1/2;
vsys Root, zone Null, vr untrust-vr, vsd 0
*ip 0.0.0.0/0 mac 0010.dbff.22d0
pmtu-v4 disabled
ping disabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled

NHRP disabled
aggregate bandwidth: physical 2000Mbps, configured 2000Mbps

get config | i nsrp
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 100
set nsrp secondary-path aggregate1

Debug looks the same on both Primary and Backup units:

debug nsrp all
get db str
## 2009-11-13 23:32:30 : no ha control channel, forcely use secondary path to send vsd hb
## 2009-11-13 23:32:30 : send vsd hb,gid=0,src=12837888,state=master,prio=100,fail=0,flag=0,rtopeer=0
## 2009-11-13 23:32:31 : ha msg drop: null ha_link or ha_link->ha_ifp
## 2009-11-13 23:32:31 : no ha control channel, forcely use secondary path to send vsd hb
## 2009-11-13 23:32:31 : send vsd hb,gid=0,src=12837888,state=master,prio=100,fail=0,flag=0,rtopeer=0
## 2009-11-13 23:32:32 : ha msg drop: null ha_link or ha_link->ha_ifp
## 2009-11-13 23:32:32 : no ha control channel, forcely use secondary path to send vsd hb
## 2009-11-13 23:32:32 : send vsd hb,gid=0,src=12837888,state=master,prio=100,fail=0,flag=0,rtopeer=0
## 2009-11-13 23:32:33 : ha msg drop: null ha_link or ha_link->ha_ifp
When "debug nsrp all" is run, both sides send the heart beats but do not receive in either direction.

 

Example of when it works:

set int agg1 zone trust

debug nsrp all

get db str
## 2009-11-13 23:34:14 : no ha control channel, forcely use secondary path to send vsd hb
## 2009-11-13 23:34:14 : send vsd hb,gid=0,src=12837888,state=primary backup,prio=100,fail=0,flag=0,rtopeer=0
## 2009-11-13 23:34:14 : rcv nsrp pak from I/F 45: handle at flow

## 2009-11-13 23:34:14 : recv device based monitoring info, unit: 12847488 weighted sum 0
## 2009-11-13 23:34:14 : recv vsd hb,gid=0,src=12847488,state=master,prio=100,fail=0,flag=0,rtopeer=0


 
Modification History:
2021-03-24: ‚Äč: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search