Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Both NSRP units in the same cluster become the Master

0

0

Article ID: KB5844 KB Last Updated: 12 Aug 2010Version: 3.0
Summary:
Both NSRP units in the same cluster become the Master
Symptoms:
Setup 2 NetScreens units' in High Availability using NSRP 2.0 and ScreenOS 4.0. On the NetScreen 500, interface ' HA1 and interface HA2 are correctly connected to each other and the cables are not crossed. One unit is completely configured with the NSRP cluster ID and RTO mirror ID. Both units are configured with the same NSRP cluster ID If you issue a 'get nsrp' on both units it looks like NSRP is working correctly because both units are acknowledged as being found. New added unit becomes Backup and then Master, but the original Master stays Master as well.
Solution:

If the original master device is configured with NSRP encryption and authentication, the newly added unit must also have NSRP encryption and authentication enabled, with the same password as the original master device.

Set the Authentication and Encryption password on the new Backup before you set the NSRP Cluster ID.

set nsrp encrypt password xxxxxx [Enter]
set nsrp auth password xxxxxx [Enter]

The reason why the Backup also becomes Master is it cannot authenticate with the actual master for that Cluster. Because of this it assumes it is the only NSRP unit in the cluster and promotes itself to the role of Master.

Here is the problem or goal:

  • If you issue a 'get nsrp' on both units it looks like NSRP is working correctly because both units are acknowledged as being found.
  • New added unit becomes Backup and then Master, but the original Master stays Master as well.
  • Both Units of NSRP Cluster become Master

Problem Environment:

  • Setup 2 NetScreens units in High Availability using NSRP 2.0 and ScreenOS 4.0.
  • On the NetScreen 500, interface  HA1 and interface HA2 are correctly connected to each other and the cables are not crossed.
  • One unit is completely configured with the NSRP cluster ID and RTO mirror ID.
  • Both units are configured with the same NSRP cluster ID

Causes of this problem:

  • The original Master NetScreen is configured with a NSRP Authentication and Encryption password.

Applicable Products:

  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500
  • NetScreen-1000
  • NetScreen-5200

Applicable ScreenOS:

  • 2.8.0
  • 2.8.1
  • 4.0.0


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search