Knowledge Search


[ScreenOS] Unique cluster IDs required on Juniper firewalls configured with NSRP in A/P mode

  [KB5837] Show Article Properties


MAC Addresses are duplicated on Juniper firewalls configured with NSRP.



  • High Availability - NSRP
  • Multiple NSRP pairs on same layer 2 segment
  • ScreenOS 6.0 and below

Symptoms and Errors:

  • Duplicate MAC addresses on Juniper firewalls
  • Traffic stops passing thru firewalls after adding another pair of firewalls to the same segment


The duplicate MAC addresses are due to configuring multiple NSRP firewall pairs (on the same Layer 2 segment) with the same NSRP Cluster ID (7 or fewer pairs of firewalls) or the same NSRP Cluster ID/VSD-Group ID combination (more than 7 pairs of firewalls).

As a rule, you can only have one unique NSRP Cluster  ID per NSRP cluster pair on the same layer 2 segment. If there are multiple NSRP Clusters on the same layer 2 segment configured with the same NSRP Cluster ID (set nsrp cluster id <value>), each device will have the same Virtual MAC and will conflict with each other. 


If you have 7 or fewer pairs of firewalls on the same Layer 2 segment, the solution is to ensure that each pair has a unique Cluster ID. 

For example, let's say there are two pairs of firewalls connected to the same layer 2 segment -- FW1 and FW2  is one pair, and FW3 and FW4 is another pair.  FW1 and FW2 may be assigned the NSRP cluster ID of 1.  FW3 and FW4 may be assigned the NSRP cluster ID of 2; they should not be assigned a cluster ID of 1 because the other pair is using cluster ID 1.
If you have more than 7 pairs of firewalls, make sure the Cluster ID and VSD-Group ID combinations are unique or upgrade to ScreenOS 6.1.

Below are articles related to how the virtual MAC address is created:

KB7435 - How is the virtual MAC address for a pair of Active/Passive firewalls derived? .
KB11150 - Virtual MAC (VMAC) address for HA pair when using nsrp-max-cluster and nsrp-max-vsd variables .
Related Links: