Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] NSRP cluster members do not see each other in NSRP (split brain/Envar related)

0

0

Article ID: KB25695 KB Last Updated: 04 Jan 2013Version: 2.0
Summary:
This article describes the issue of NSRP cluster members being unable to see each other in NSRP (split brain/ Envar related issue).
Symptoms:
The following parameters have been checked and the cluster still exhibits a split brain scenario:

  • The same interface is in the HA zone (on both devices in the cluster).

  • The HA interface is up.

  • The output of get nsrp displays the following information:
    nsrp link info:
    ha control link not available
    ha data link not available
    ha secondary path link not available
Cause:
The configuration, hardware, firmware, and license were the same. The difference was the NSRP related envar commands:
A-> get envar
default_image=screenos_image
run_image=default (screenos_image)
loader_version=1.0.2
last_reset=2011-09-07 02:07:33 by netscreen
sme=
IPV6=no
swrs=on
max-session=700000
patch=init
nsrp-max-vsd=8
ipsec-dscp-mark=yes
nsrp-max-cluster=64


B-> get envar
default_image=screenos_image
run_image=default (screenos_image)
loader_version=1.0.2
last_reset=2011-09-06 22:42:13 by netscreen1
sme=
ipv6-=yes
swrs=on
max-session=700000
patch=init
nsrp-max-vsd=7
ipsec-dscp-mark=yes
nsrp-max-cluster=60
The nsrp-max-cluster and nsrp-max-vsd variables can take values between 0 and 64 and its product should not exceed 512.
Solution:
To resolve the issue, modify the NSRP related envar settings (nsrp-max-vsd and nsrp-max-cluster) and then match the output to be the same on both of the devices.

The following criteria must be met on both of the cluster members:

  • The NSRP related envar commands on both devices should match. If the envar commands do not match, the HA link will not be detected on both of the devices in the cluster.

  • When the envar commands are matched, reset the devices.

  • The devices should then come up, be able to see each other as peers, and be in sync (if the configuration, hardware, ScreenOS versions, and licenses are the same).
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search