Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [ScreenOS] Troubleshooting an NSRP Active/Passive device that is not failing over



Article ID: KB9814 KB Last Updated: 26 Mar 2021Version: 10.0

The intention of the test is to failover the primary from Firewall-A to Firewall-B and confirm traffic passes, but the failover is not working.

Perform the steps in the solution to identify the cause.

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE). 
Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.

While testing the failover conditions in KB9810 - How do I test an Active/Passive NSRP device failover, the failover is not working. 


Note: In this article, Firewall-A refers to the device that is initially configured as the primary device. Firewall-B is the device that is initially configured to be the Backup device.

  1. Looking at the prompt of Firewall-A, what is the State of Firewall-A?  For assistance, consult KB11377 - How do I check the state of the NSRP device.

  2. Looking at the prompt of Firewall-B, what is the State of Firewall-B? 

    • [ M ] - Firewalls may be in NSRP Split-brain condition.  Consult: KB11450 - What is NSRP Split-brain.
    • [ I ]   - Firewall-B is in the Inoperable state.  Continue with Step 3.
    • [ B ] - Firewall-B may be unavailable for failover support (i.e. ineligible).  Consult KB11477 to correct the Ineligible state.
      or   Firewall-B may have become the primary and then became backup again because of preempt setting.  Confirm by reviewing 'get event' log and KB11373 - How to configure Preempt setting.
  3. Firewall-B is in [ I ] state. What NSRP monitored object triggered Firewall-B to the Inoperable state?  For more information on how to tell, refer to KB11338.

  4. Does Firewall-B have a 'manage IP' address configured on the interfaces used to contact the Track-IP hosts?  To check the "manage ip" address, issue the command 'get int <int_name>' on Firewall-B.

    Note: The Backup firewall "Manage IP" address should be different than the primary firewall "Manage IP" address.

  5. On Firewall-B, consult:  KB11451 - Firewall running NSRP is in the (I) Inoperable state. Check settings and fix condition.

    If you need further assistance, Jump to Step 7

  6. Continuation from Step 1 (Firewall-A is [I] or [B]).  What is the State of Firewall-B?

    • [ B ] - Firewall-B may be unavailable for failover support (i.e. ineligible).  Consult KB11477 to correct the Ineligible state.
    • [ M ] - It appears that the device has correctly failed over.   Firewall-B is now the primary.
    • [ I ] - Firewall-B is in the Inoperable state. Consider adding 'set nsrp vsd-group master-always-exist' to avoid condition where both firewalls are in the Inoperable state.  Then Go to Step 3 to fix the Inoperable state.
  7. For additional assistance, collect the information listed in KB11175 - What information do I need to collect before opening an NSRP case?  Once the data has been collected, open a case (for assistance see: Contact Support)

Modification History:
2021-03-24: Updated the article terminology to align with Juniper's Inclusion & Diversity initiatives
2020-09-11: Minor, non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search