The intention of the test is to failover the primary from Firewall-A to Firewall-B and confirm traffic passes, but the failover is not working.

Perform the steps in the solution to identify the cause.

---

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.

While testing the failover conditions in KB9810 - How do I test an Active/Passive NSRP device failover, the failover is not working. 

Note: In this article, Firewall-A refers to the device that is initially configured as the primary device. Firewall-B is the device that is initially configured to be the Backup device.

1. Looking at the prompt of Firewall-A, what is the State of Firewall-A?  For assistance, consult KB11377 - How do I check the state of the NSRP device.

   • [ M ] - Continue with Step 2
   • [ I ] or [ B ]  - Jump to Step 6
   • Bouncing between states - Go to KB11388 - NSRP Pair is constantly failing over.

2. Looking at the prompt of Firewall-B, what is the State of Firewall-B? 

   • [ M ] - Firewalls may be in NSRP Split-brain condition.  Consult: KB11450 - What is NSRP Split-brain.
   • [ I ]   - Firewall-B is in the Inoperable state.  Continue with Step 3.
   • [ B ] - Firewall-B may be unavailable for failover support (i.e. ineligible).  Consult KB11477 to correct the Ineligible state.
     or   Firewall-B may have become the primary and then became backup again because of preempt setting.  Confirm by reviewing 'get event' log and KB11373 - How to configure Preempt setting.

3. Firewall-B is in [ I ] state. What NSRP monitored object triggered Firewall-B to the Inoperable state?  For more information on how to tell, refer to KB11338.

   • Interface - Consult KB11327 - How do I correct firewall Inoperable state, due to NSRP monitor interface
   • Zone - Consult KB11331 - How do I correct firewall Inoperable state, due to NSRP monitor zone
   • Track-IP - continue with Step 4

4. Does Firewall-B have a 'manage IP' address configured on the interfaces used to contact the Track-IP hosts?  To check the "manage ip" address, issue the command 'get int <int_name>' on Firewall-B.

   Note: The Backup firewall "Manage IP" address should be different than the primary firewall "Manage IP" address.

   • Yes -  Continue with Step 5
   • No   - Configure the 'manage IP' address.  For assistance, consult: KB4059 - Configuring a manage-IP address.

5. On Firewall-B, consult:  KB11451 - Firewall running NSRP is in the (I) Inoperable state. Check settings and fix condition.

   If you need further assistance, Jump to Step 7

6. Continuation from Step 1 (Firewall-A is [I] or [B]).  What is the State of Firewall-B?

   • [ B ] - Firewall-B may be unavailable for failover support (i.e. ineligible).  Consult KB11477 to correct the Ineligible state.
   • [ M ] - It appears that the device has correctly failed over.   Firewall-B is now the primary.
   • [ I ] - Firewall-B is in the Inoperable state. Consider adding 'set nsrp vsd-group master-always-exist' to avoid condition where both firewalls are in the Inoperable state.  Then Go to Step 3 to fix the Inoperable state.

7. For additional assistance, collect the information listed in KB11175 - What information do I need to collect before opening an NSRP case?  Once the data has been collected, open a case (for assistance see: Contact Support)

2021-03-24: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives
2020-09-11: Minor, non-technical edits.