Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How do I troubleshoot an Active/Passive NSRP cluster that is not passing data?

0

0

Article ID: KB9818 KB Last Updated: 11 Sep 2020Version: 7.0
Summary:

If during a failover test, traffic does not pass through the firewall, then follow the steps in this article.

Symptoms:
Symptoms:
  • Traffic is not passing thru Active/Passive NSRP cluster after a failover
  • Sessions aren't reconnecting after a failover
  • Can't get to services thu the firewall after a failover
Solution:

Use the steps below to troubleshoot why the firewall is not passing data.  To view the flowchart for these steps, refer to KB9818 Flowchart.

Note: In the article, Firewall-A refers to the device that is the original Master device. Firewall-B is the device that is the original Backup device.

  1. What does the prompt display on Firewall-A? For assistance, consult KB11377 - How do I check the state of the NSRP device.

  2. If Firewall-A is in [ I ] or [ B ] state, is Firewall-B in M state?  For assistance, consult KB11377 - How do I check the state of the NSRP device.

  3. If Firewall-A is in [ M ] state, what is the State of Firewall-B?

    • [ M ] -  If Firewall-B is also in the Master state, then the cluster is in a condition known as Split Brain.  Consult KB11450 - What is NSRP Split-brain.
    • [ I ] or [ B ]  - Continue with Step 4
  4. Are there multiple NSRP clusters on the same Layer-2 segment?

    • Yes - Ensure the cluster IDs are unique, then continue to Step 5.  For assistance in determining if the cluster IDs are unique, consult KB5837.
    • No  - Continue with Step 5
  5. Can you PING the next-hop device from the firewall?  To ping the device from the VSI interface, simply do 'ping <IP address> from <VSI interface>'.

    • Yes - Continue with Step 6
    • No  -  If you cannot PING the next-hop device from the VSI interface, troubleshoot the connectivity, i.e. switch, VLANs, cabling, Switching tables, ARP tables.
  6. For additional assistance, collect the information listed in KB11175 - What information do I need to collect before opening an NSRP case?
    Once the data has been collected, open a case by contacting JTAC.

Modification History:
2020-09-11: Minor, non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search