The intention of the test is to failover the master from Firewall-A to Firewall-B and confirm traffic passes, but the failover is not working.

Perform the steps in the solution to identify the cause.

While testing the failover conditions in KB9810 - How do I test an Active/Passive NSRP device failover, the failover is not working. 

Use the steps below to troubleshoot why the device is not failing over.  To view the flowchart for these steps, refer to KB9814 Flowchart.

Note: In this article, Firewall-A refers to the device that is initially configured as the Master device. Firewall-B is the device that is initially configured to be the Backup device.

1. Looking at the prompt of Firewall-A, what is the State of Firewall-A?  For assistance, consult KB11377 - How do I check the state of the NSRP device.

   • [ M ] - Continue with Step 2
   • [ I ] or [ B ]  - Jump to Step 6
   • Bouncing between states - Go to KB11388 - NSRP Pair is constantly failing over.

2. Looking at the prompt of Firewall-B, what is the State of Firewall-B? 

   • [ M ] - Firewalls may be in NSRP Split-brain condition.  Consult: KB11450 - What is NSRP Split-brain.
   • [ I ]   - Firewall-B is in the Inoperable state.  Continue with Step 3.
   • [ B ] - Firewall-B may be unavailable for failover support (i.e. ineligible).  Consult KB11477 to correct the Ineligible state.
     or   Firewall-B may have become master and then became backup again because of preempt setting.  Confirm by reviewing 'get event' log and KB11373 - How to configure Preempt setting.

3. Firewall-B is in [ I ] state. What NSRP monitored object triggered Firewall-B to the Inoperable state?  For more information on how to tell, refer to KB11338.

   • Interface - Consult KB11327 - How do I correct firewall Inoperable state, due to NSRP monitor interface
   • Zone - Consult KB11331 - How do I correct firewall Inoperable state, due to NSRP monitor zone
   • Track-IP - continue with Step 4

4. Does Firewall-B have a 'manage IP' address configured on the interfaces used to contact the Track-IP hosts?  To check the "manage ip" address, issue the command 'get int <int_name>' on Firewall-B.

   Note: The Backup firewall "Manage IP" address should be different than the Master firewall "Manage IP" address.

   • Yes -  Continue with Step 5
   • No   - Configure the 'manage IP' address.  For assistance, consult: KB4059 - Configuring a manage-IP address.

5. On Firewall-B, consult:  KB11451 - Firewall running NSRP is in the (I) Inoperable state. Check settings and fix condition.

   If you need further assistance, Jump to Step 7

6. Continuation from Step 1 (Firewall-A is [I] or [B]).  What is the State of Firewall-B?

   • [ B ] - Firewall-B may be unavailable for failover support (i.e. ineligible).  Consult KB11477 to correct the Ineligible state.
   • [ M ] - It appears that the device has correctly failed over.   Firewall-B is now Master.
   • [ I ] - Firewall-B is in the Inoperable state. Consider adding 'set nsrp vsd-group master-always-exist' to avoid condition where both firewalls are in the Inoperable state.  Then Go to Step 3 to fix the Inoperable state.

7. For additional assistance, collect the information listed in KB11175 - What information do I need to collect before opening an NSRP case?  Once the data has been collected, open a case by either calling in to Juniper Networks Technical Assistance Center at 888-314-JTAC (5822) , 408-745-9500 for domestic or international, OR login to the Case Management tool via the Juniper support site at: Case Management and click on the "Create a Case" link.

2020-09-11: Minor, non-technical edits.