Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Managing the backup device in an NSRP Active/Passive cluster in Transparent mode



Article ID: KB6264 KB Last Updated: 04 Jan 2021Version: 8.0

Managing the secondary device in an Active/Passive pair operating in Transparent mode.

  • Active/Passive NSRP configuration
  • Firewalls in Transparent mode
  • Manage the Passive device in NSRP
  • Manage the backup device in Transparent mode
Symptoms & Errors:
  • Cannot manage the passive device
  • No problem with managing the primary firewall

When operating in Transparent mode, the backup in an Active/Passive pair can only be managed from one Layer 2 zone at a time.  By default, this zone is V1-Trust.

If management is needed from V1-Untrust, V1-DMZ, or a custom layer 2 zone, use the command:

set interface vlan1 nsrp manage zone <zone name>

Note: This command must be enabled on both devices in the NSRP cluster.

The current management zone can be checked with the 'get interface vlan1' command:

204(B)-> get interface vlan1
Interface vlan1:
  number 15, if_info 6000, if_index 0, VLAN tag 1, mode nat
  link inactive, phy-link up/full-duplex
  vsys Root, zone MGT, vr trust-vr
  ip   mac 0010.dbff.20f0
  manage ip, mac 0010.db27.68cf
  ping enabled, telnet enabled, SCS enabled, SNMP enabled
  web disabled, SSL enabled
  webauth disabled, webauth-ip
  OSPF disabled BGP disabled
  DHCP-elay disabled
  bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps
  unknown mac address resolve method: FLOOD
  vlan trunk: Off
  bypass others IPSEC: Off
  In backup mode, only traffic from V1-TRUST can manage the box

Note: Ensure tthe manage-ip addresses are different for both the primary and backup firewalls.  For more information on configuring a manage IP address, refer to KB4059 - [ScreenOS] Configuring a Manage IP Address on Juniper firewall.

For more info on interface VLAN1, see KB4862 - What is the function of the vlan1 interface.


Modification History:
2021-01-04: Minor non-technical changes were made. Article reviewed for accuracy. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search