Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Troubleshooting an NSRP Active/Passive device that is not failing over

0

0

Article ID: KB9814 KB Last Updated: 13 Sep 2020Version: 9.0
Summary:

The intention of the test is to failover the master from Firewall-A to Firewall-B and confirm traffic passes, but the failover is not working.

Perform the steps in the solution to identify the cause.

Symptoms:

While testing the failover conditions in KB9810 - How do I test an Active/Passive NSRP device failover, the failover is not working. 

Solution:

Use the steps below to troubleshoot why the device is not failing over.  To view the flowchart for these steps, refer to KB9814 Flowchart.

Note: In this article, Firewall-A refers to the device that is initially configured as the Master device. Firewall-B is the device that is initially configured to be the Backup device.

  1. Looking at the prompt of Firewall-A, what is the State of Firewall-A?  For assistance, consult KB11377 - How do I check the state of the NSRP device.

  2. Looking at the prompt of Firewall-B, what is the State of Firewall-B? 

    • [ M ] - Firewalls may be in NSRP Split-brain condition.  Consult: KB11450 - What is NSRP Split-brain.
    • [ I ]   - Firewall-B is in the Inoperable state.  Continue with Step 3.
    • [ B ] - Firewall-B may be unavailable for failover support (i.e. ineligible).  Consult KB11477 to correct the Ineligible state.
      or   Firewall-B may have become master and then became backup again because of preempt setting.  Confirm by reviewing 'get event' log and KB11373 - How to configure Preempt setting.
  3. Firewall-B is in [ I ] state. What NSRP monitored object triggered Firewall-B to the Inoperable state?  For more information on how to tell, refer to KB11338.

  4. Does Firewall-B have a 'manage IP' address configured on the interfaces used to contact the Track-IP hosts?  To check the "manage ip" address, issue the command 'get int <int_name>' on Firewall-B.

    Note: The Backup firewall "Manage IP" address should be different than the Master firewall "Manage IP" address.

  5. On Firewall-B, consult:  KB11451 - Firewall running NSRP is in the (I) Inoperable state. Check settings and fix condition.

    If you need further assistance, Jump to Step 7

  6. Continuation from Step 1 (Firewall-A is [I] or [B]).  What is the State of Firewall-B?

    • [ B ] - Firewall-B may be unavailable for failover support (i.e. ineligible).  Consult KB11477 to correct the Ineligible state.
    • [ M ] - It appears that the device has correctly failed over.   Firewall-B is now Master.
    • [ I ] - Firewall-B is in the Inoperable state. Consider adding 'set nsrp vsd-group master-always-exist' to avoid condition where both firewalls are in the Inoperable state.  Then Go to Step 3 to fix the Inoperable state.
  7. For additional assistance, collect the information listed in KB11175 - What information do I need to collect before opening an NSRP case?  Once the data has been collected, open a case by either calling in to Juniper Networks Technical Assistance Center at 888-314-JTAC (5822) , 408-745-9500 for domestic or international, OR login to the Case Management tool via the Juniper support site at: Case Management and click on the "Create a Case" link.

Modification History:
2020-09-11: Minor, non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search