Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What is the secondary path option used for in an NSRP environment?

0

0

Article ID: KB4334 KB Last Updated: 16 Sep 2020Version: 5.0
Summary:

This article answers the question "What is the secondary path option used for in an NSRP environment?"

 

Solution:

Note: This article applies to ScreenOS 4.0 and later.

A secondary path is a backup path for heartbeats between two devices in an NSRP pair. If the primary and secondary High Availability (HA) link goes down, each device in the cluster will go 'split brain'. This means each device will assume it is the master device, and two devices with identical IP addresses, and different MAC addresses will propagate across the network. This situation can cause severe network problems.

Image of example

To prevent 'split brain' from occurring, a secondary path is used. With a secondary path enabled, when the HA link is severed, heartbeat packets will traverse across the secondary path, and the current NSRP state that each device is in will be maintained. For example, assume Device A is initially the primary device, and Device B is initially the backup device. When the HA link between the two devices goes down, a secondary path will ensure that Device A stays as the primary device, and Device B stays as the backup device. This gives the administrator time to fix the problems with the HA link.

To enable a secondary path, perform the following steps:

Open the WebUI. For more information about accessing the WebUI, go to KB4317 - [ScreenOS] Accessing your Juniper firewall device using the WebUI.

From the NetScreen options menu, click Network, select NSRP, and then click to select Link.

From the Secondary Link drop-down menu, click to select the interface to use for a secondary path, and then click Apply.

Note: When the NSRP links fail, and the secondary path is used to keep the current NSRP state, no RTO synchronization (sessions, policies, and so on) is done. RTO synchronization will continue when the NSRP links are restored.

 

Modification History:

2020-09-16: Removed old WebUI snapshots and replaced with new ones; article checked for accuracy and found relevant

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search