Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Unique cluster IDs required on Juniper firewalls configured with NSRP in A/P mode

0

0

Article ID: KB5837 KB Last Updated: 17 Feb 2015Version: 8.0
Summary:

MAC Addresses are duplicated on Juniper firewalls configured with NSRP.

Symptoms:

Environment:

  • High Availability - NSRP
  • Multiple NSRP pairs on same layer 2 segment
  • ScreenOS 6.0 and below

Symptoms and Errors:

  • Duplicate MAC addresses on Juniper firewalls
  • Traffic stops passing thru firewalls after adding another pair of firewalls to the same segment

Cause:

The duplicate MAC addresses are due to configuring multiple NSRP firewall pairs (on the same Layer 2 segment) with the same NSRP Cluster ID (7 or fewer pairs of firewalls) or the same NSRP Cluster ID/VSD-Group ID combination (more than 7 pairs of firewalls).

As a rule, you can only have one unique NSRP Cluster  ID per NSRP cluster pair on the same layer 2 segment. If there are multiple NSRP Clusters on the same layer 2 segment configured with the same NSRP Cluster ID (set nsrp cluster id <value>), each device will have the same Virtual MAC and will conflict with each other. 

Solution:

If you have 7 or fewer pairs of firewalls on the same Layer 2 segment, the solution is to ensure that each pair has a unique Cluster ID. 

For example, let's say there are two pairs of firewalls connected to the same layer 2 segment -- FW1 and FW2  is one pair, and FW3 and FW4 is another pair.  FW1 and FW2 may be assigned the NSRP cluster ID of 1.  FW3 and FW4 may be assigned the NSRP cluster ID of 2; they should not be assigned a cluster ID of 1 because the other pair is using cluster ID 1.
If you have more than 7 pairs of firewalls, make sure the Cluster ID and VSD-Group ID combinations are unique or upgrade to ScreenOS 6.1.

Below are articles related to how the virtual MAC address is created:

KB7435 - How is the virtual MAC address for a pair of Active/Passive firewalls derived? .
KB11150 - Virtual MAC (VMAC) address for HA pair when using nsrp-max-cluster and nsrp-max-vsd variables .

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search