Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How do I test an Active/Passive NSRP device failover?



Article ID: KB9810 KB Last Updated: 25 Aug 2020Version: 16.0

After performing the steps to configure NSRP, it is recommended to test failover conditions. This article provides the procedure to test failover conditions and confirm that traffic still passes.


Use the following procedure to test an NSRP Active/Passive failover. To view the flowchart for this procedure, refer to KB9810 Flowchart .

Note: In this article, Firewall-A refers to the device that is initially configured as the Primary device. Firewall-B is the device that is initially configured as the Backup device.

1. Prior to testing NSRP failover, Is Firewall-A passing traffic?

2. Check if the configurations are in sync. Refer to KB26193 - Unable to verify the configuration sync with NSRP peer. 3. Check if the rto mirror synchronisation is enabled. To check this run command 'get nsrp | in run'
  • No, then you can either enable the rto synchronisation by using the command 'set nsrp rto-mirror sync' or manually sync rto objects using command 'exec nsrp sync rto from peer'
  • Yes, go to step 4

4.  Trigger the failover from Firewall-A to Firewall-B.  For more information, consult: KB5885 - Manually forcing a Device from Primary to Backup Device  or  KB11192 - How do I perform a device fail over of monitored objects (Interface, Track-IP, and Zone) or

Continue with Step 3

5.  Did Firewall-A failover to Firewall-B?  For information, consult: KB11199 - How to tell if the firewall failed over or changed state.

6. Is Firewall-B passing traffic?  For information on how to tell if the firewall is passing traffic, consult: KB11201 - How to confirm/monitor if traffic is passing through the NSRP device.

7.  Trigger a failover to failback from Firewall-B to Firewall-A, and confirm Firewall-A is passing traffic again. For information on triggering a failover, consult: KB5885 or KB11192.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search