If during a failover test, traffic does not pass through the firewall, then follow the steps in this article.
Use the steps below to troubleshoot why the firewall is not passing data. To view the flowchart for these steps, refer to KB9818 Flowchart.
Note: In the article, Firewall-A refers to the device that is the original Master device. Firewall-B is the device that is the original Backup device.
-
What does the prompt display on Firewall-A? For assistance, consult KB11377 - How do I check the state of the NSRP device.
-
If Firewall-A is in [ I ] or [ B ] state, is Firewall-B in M state? For assistance, consult KB11377 - How do I check the state of the NSRP device.
-
If Firewall-A is in [ M ] state, what is the State of Firewall-B?
- [ M ] - If Firewall-B is also in the Master state, then the cluster is in a condition known as Split Brain. Consult KB11450 - What is NSRP Split-brain.
- [ I ] or [ B ] - Continue with Step 4
-
Are there multiple NSRP clusters on the same Layer-2 segment?
- Yes - Ensure the cluster IDs are unique, then continue to Step 5. For assistance in determining if the cluster IDs are unique, consult KB5837.
- No - Continue with Step 5
-
Can you PING the next-hop device from the firewall? To ping the device from the VSI interface, simply do 'ping <IP address> from <VSI interface>'.
- Yes - Continue with Step 6
- No - If you cannot PING the next-hop device from the VSI interface, troubleshoot the connectivity, i.e. switch, VLANs, cabling, Switching tables, ARP tables.
-
For additional assistance, collect the information listed in KB11175 - What information do I need to collect before opening an NSRP case?.
Once the data has been collected, open a case by contacting JTAC.