The intention of the test is to failover the primary from Firewall-A to Firewall-B and confirm traffic passes, but the failover is not working.
Perform the steps in the solution to identify the cause.
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).
Refer to
End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
While testing the failover conditions in KB9810 - How do I test an Active/Passive NSRP device failover, the failover is not working.
Note: In this article, Firewall-A refers to the device that is initially configured as the primary device. Firewall-B is the device that is initially configured to be the Backup device.
-
Looking at the prompt of Firewall-A, what is the State of Firewall-A? For assistance, consult KB11377 - How do I check the state of the NSRP device.
-
Looking at the prompt of Firewall-B, what is the State of Firewall-B?
- [ M ] - Firewalls may be in NSRP Split-brain condition. Consult: KB11450 - What is NSRP Split-brain.
- [ I ] - Firewall-B is in the Inoperable state. Continue with Step 3.
- [ B ] - Firewall-B may be unavailable for failover support (i.e. ineligible). Consult KB11477 to correct the Ineligible state.
or Firewall-B may have become the primary and then became backup again because of preempt setting. Confirm by reviewing 'get event' log and KB11373 - How to configure Preempt setting.
-
Firewall-B is in [ I ] state. What NSRP monitored object triggered Firewall-B to the Inoperable state? For more information on how to tell, refer to KB11338.
-
Does Firewall-B have a 'manage IP' address configured on the interfaces used to contact the Track-IP hosts? To check the "manage ip" address, issue the command 'get int <int_name>
' on Firewall-B.
Note: The Backup firewall "Manage IP" address should be different than the primary firewall "Manage IP" address.
-
On Firewall-B, consult: KB11451 - Firewall running NSRP is in the (I) Inoperable state. Check settings and fix condition.
If you need further assistance, Jump to Step 7
-
Continuation from Step 1 (Firewall-A is [I] or [B]). What is the State of Firewall-B?
- [ B ] - Firewall-B may be unavailable for failover support (i.e. ineligible). Consult KB11477 to correct the Ineligible state.
- [ M ] - It appears that the device has correctly failed over. Firewall-B is now the primary.
- [ I ] - Firewall-B is in the Inoperable state. Consider adding
'set nsrp vsd-group master-always-exist'
to avoid condition where both firewalls are in the Inoperable state. Then Go to Step 3 to fix the Inoperable state.
-
For additional assistance, collect the information listed in KB11175 - What information do I need to collect before opening an NSRP case? Once the data has been collected, open a case (for assistance see: Contact Support)
2021-03-24: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives
2020-09-11: Minor, non-technical edits.