Back-up Juniper SSG140 freezes when I try to configure NSRP
I have 2 Juniper SSG140's fully configured that I am trying to set up as a pair. Followed the basic active/passive config guide on the Juniper website and the master takes all the config with no issues, however as soon as I enter the 'set nsrp cluster id 1' cmd on the backup device it freezes and won't come back until it's rebooted. When it comes back up it's without the cluster ID set.
Any ideas of why this happens? please just let me know what config you need to see in order to help with this issue.
Regards
Chris
Any ideas of why this happens? please just let me know what config you need to see in order to help with this issue.
Regards
Chris
ASKER
Right, I have been through the 'How do I configure NSRP' guide KB9809 on the link you sent. Everything looks good up to point 7 where I try to enter the minimum NSRP configuration. This then gives me the same behaviour as explained above. The back-up firewall freezes and has to be restarted.
I am at a loss. I have run through the configuration of 2 other ssg140's that are running NSRP and everything looks the same.
I am at a loss. I have run through the configuration of 2 other ssg140's that are running NSRP and everything looks the same.
Which version of SOS are you running. Can you ensure that cabling is proper and that HA link is indeed UP [before you start setting NSRP].
Please post sanitized output of commands below from both the boxes [please indicate the box with problem]:
get interface
get nsrp
Thank you.
Please post sanitized output of commands below from both the boxes [please indicate the box with problem]:
get interface
get nsrp
Thank you.
ASKER
Hi
Both boxes are running firmware version 6.3.0r9.0
FW2 is the one with the issues, please find all output requested below.
Thanks Again!!
FW01(M)-> get interface
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth0/0 198.12.63.44/29 Untrust 0000.0000.0000 - U 0
eth0/1 0.0.0.0/0 Null 0000.0000.0000 - D 0
eth0/2 0.0.0.0/0 Null 0000.0000.0000 - U 0
eth0/2.1 10.0.0.217/29 SW-Mgmt 0000.0000.0000 xx9 U 0
eth0/2.2 10.0.1.193/28 one_test 0000.0000.0000 xx0 U 0
eth0/2.3 10.0.2.193/26 two_Test 0000.0000.0000 xx1 U 0
eth0/2.4 10.0.2.129/27 thr_Test 0000.0000.0000 xx2 U 0
eth0/2.5 10.0.2.209/29 fou_Test 0000.0000.0000 xx3 U 0
eth0/2.6 10.0.2.161/27 fiv_Test 0000.0000.0000 xx4 U 0
eth0/3 0.0.0.0/0 Null 0000.0000.0000 - D 0
eth0/4 0.0.0.0/0 Null 0000.0000.0000 - D 0
eth0/5 0.0.0.0/0 Null 0000.0000.0000 - D 0
eth0/6 0.0.0.0/0 HA 0000.0000.0000 - U -
eth0/7 0.0.0.0/0 HA 0000.0000.0000 - U -
eth0/8 0.0.0.0/0 Null 0000.0000.0000 - D 0
eth0/9 0.0.0.0/0 Null 0000.0000.0000 - D 0
bgroup0/0 0.0.0.0/0 Null 0000.0000.0000 - D 0
bgroup0/1 0.0.0.0/0 Null 0000.0000.0000 - D 0
bgroup0/2 0.0.0.0/0 Null 0000.0000.0000 - D 0
vlan1 0.0.0.0/0 VLAN 0000.0000.0000 1 D 0
null 0.0.0.0/0 Null N/A - U 0
FW01(M)-> get nsrp
nsrp version: 2.0
cluster info:
cluster id: 1, no name
local unit id: 11052416
active units discovered:
index: 0, unit id: 11052416, ctrl mac: xxxxxxx8a58a , data mac: xxxxxxx8a58b
total number of units: 1
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members myself uptime
0 100 no 3 no myself none 3d;22:59:09
total number of vsd groups: 1
Total iteration=683940,time=1753
RTO mirror info:
run time object sync: disabled
route synchronization: disabled
ping session sync: enabled
nsrp data packet forwarding is enabled
nsrp link info:
control channel: ethernet0/6 (ifnum: 10) mac: xxxxxxx8a58a state: up
data channel: ethernet0/7 (ifnum: 11) mac: xxxxxxx8a58b state: up
ha secondary path link not available
NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface: ethernet0/0(weight 255, UP) ethernet0/2(weight 255, UP)
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled
track ip: disabled
FW02-> get interface
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth0/0 198.12.63.46/29 Untrust 0000.0000.0000 - U -
eth0/1 0.0.0.0/0 Null 0000.0000.0000 - D -
eth0/2 0.0.0.0/0 Null 0000.0000.0000 - U -
eth0/2.1 10.0.0.218/29 SW-Mgmt 0000.0000.0000 xx9 U -
eth0/2.2 10.0.1.194/28 one_test 0000.0000.0000 xx0 U -
eth0/2.3 10.0.2.194/26 two_Test 0000.0000.0000 xx1 U -
eth0/2.4 10.0.2.130/27 thr_Test 0000.0000.0000 xx2 U -
eth0/2.5 10.0.2.210/29 fou_Test 0000.0000.0000 xx3 U -
eth0/2.6 10.0.2.162/27 fiv_Test 0000.0000.0000 xx4 U -
eth0/3 0.0.0.0/0 Null 0000.0000.0000 - D -
eth0/4 0.0.0.0/0 Null 0000.0000.0000 - D -
eth0/5 0.0.0.0/0 Null 0000.0000.0000 - D -
eth0/6 0.0.0.0/0 HA 0000.0000.0000 - U -
eth0/7 0.0.0.0/0 HA 0000.0000.0000 - U -
eth0/8 0.0.0.0/0 Null 0000.0000.0000 - D -
eth0/9 0.0.0.0/0 Null 0000.0000.0000 - D -
bgroup0/0 0.0.0.0/0 Null 0000.0000.0000 - D -
bgroup0/1 0.0.0.0/0 Null 0000.0000.0000 - D -
bgroup0/2 0.0.0.0/0 Null 0000.0000.0000 - D -
vlan1 0.0.0.0/0 VLAN 0000.0000.0000 1 D -
null 0.0.0.0/0 Null N/A - U -
FW02-> get nsrp
nsrp version: 2.0
cluster info:
cluster id not set: nsrp is inactive
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members myself uptime
total number of vsd groups: 0
Total iteration=0,time=0,max=0,m
RTO mirror info:
run time object sync: disabled
route synchronization: disabled
ping session sync: enabled
coldstart sync done
nsrp data packet forwarding is enabled
nsrp link info:
control channel: ethernet0/6 (ifnum: 10) mac: xxxxxxx1ee8a state: up
data channel: ethernet0/7 (ifnum: 11) mac: xxxxxxx1ee8b state: up
ha secondary path link not available
NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled
track ip: disabled
Both boxes are running firmware version 6.3.0r9.0
FW2 is the one with the issues, please find all output requested below.
Thanks Again!!
FW01(M)-> get interface
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth0/0 198.12.63.44/29 Untrust 0000.0000.0000 - U 0
eth0/1 0.0.0.0/0 Null 0000.0000.0000 - D 0
eth0/2 0.0.0.0/0 Null 0000.0000.0000 - U 0
eth0/2.1 10.0.0.217/29 SW-Mgmt 0000.0000.0000 xx9 U 0
eth0/2.2 10.0.1.193/28 one_test 0000.0000.0000 xx0 U 0
eth0/2.3 10.0.2.193/26 two_Test 0000.0000.0000 xx1 U 0
eth0/2.4 10.0.2.129/27 thr_Test 0000.0000.0000 xx2 U 0
eth0/2.5 10.0.2.209/29 fou_Test 0000.0000.0000 xx3 U 0
eth0/2.6 10.0.2.161/27 fiv_Test 0000.0000.0000 xx4 U 0
eth0/3 0.0.0.0/0 Null 0000.0000.0000 - D 0
eth0/4 0.0.0.0/0 Null 0000.0000.0000 - D 0
eth0/5 0.0.0.0/0 Null 0000.0000.0000 - D 0
eth0/6 0.0.0.0/0 HA 0000.0000.0000 - U -
eth0/7 0.0.0.0/0 HA 0000.0000.0000 - U -
eth0/8 0.0.0.0/0 Null 0000.0000.0000 - D 0
eth0/9 0.0.0.0/0 Null 0000.0000.0000 - D 0
bgroup0/0 0.0.0.0/0 Null 0000.0000.0000 - D 0
bgroup0/1 0.0.0.0/0 Null 0000.0000.0000 - D 0
bgroup0/2 0.0.0.0/0 Null 0000.0000.0000 - D 0
vlan1 0.0.0.0/0 VLAN 0000.0000.0000 1 D 0
null 0.0.0.0/0 Null N/A - U 0
FW01(M)-> get nsrp
nsrp version: 2.0
cluster info:
cluster id: 1, no name
local unit id: 11052416
active units discovered:
index: 0, unit id: 11052416, ctrl mac: xxxxxxx8a58a , data mac: xxxxxxx8a58b
total number of units: 1
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members myself uptime
0 100 no 3 no myself none 3d;22:59:09
total number of vsd groups: 1
Total iteration=683940,time=1753
RTO mirror info:
run time object sync: disabled
route synchronization: disabled
ping session sync: enabled
nsrp data packet forwarding is enabled
nsrp link info:
control channel: ethernet0/6 (ifnum: 10) mac: xxxxxxx8a58a state: up
data channel: ethernet0/7 (ifnum: 11) mac: xxxxxxx8a58b state: up
ha secondary path link not available
NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface: ethernet0/0(weight 255, UP) ethernet0/2(weight 255, UP)
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled
track ip: disabled
FW02-> get interface
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth0/0 198.12.63.46/29 Untrust 0000.0000.0000 - U -
eth0/1 0.0.0.0/0 Null 0000.0000.0000 - D -
eth0/2 0.0.0.0/0 Null 0000.0000.0000 - U -
eth0/2.1 10.0.0.218/29 SW-Mgmt 0000.0000.0000 xx9 U -
eth0/2.2 10.0.1.194/28 one_test 0000.0000.0000 xx0 U -
eth0/2.3 10.0.2.194/26 two_Test 0000.0000.0000 xx1 U -
eth0/2.4 10.0.2.130/27 thr_Test 0000.0000.0000 xx2 U -
eth0/2.5 10.0.2.210/29 fou_Test 0000.0000.0000 xx3 U -
eth0/2.6 10.0.2.162/27 fiv_Test 0000.0000.0000 xx4 U -
eth0/3 0.0.0.0/0 Null 0000.0000.0000 - D -
eth0/4 0.0.0.0/0 Null 0000.0000.0000 - D -
eth0/5 0.0.0.0/0 Null 0000.0000.0000 - D -
eth0/6 0.0.0.0/0 HA 0000.0000.0000 - U -
eth0/7 0.0.0.0/0 HA 0000.0000.0000 - U -
eth0/8 0.0.0.0/0 Null 0000.0000.0000 - D -
eth0/9 0.0.0.0/0 Null 0000.0000.0000 - D -
bgroup0/0 0.0.0.0/0 Null 0000.0000.0000 - D -
bgroup0/1 0.0.0.0/0 Null 0000.0000.0000 - D -
bgroup0/2 0.0.0.0/0 Null 0000.0000.0000 - D -
vlan1 0.0.0.0/0 VLAN 0000.0000.0000 1 D -
null 0.0.0.0/0 Null N/A - U -
FW02-> get nsrp
nsrp version: 2.0
cluster info:
cluster id not set: nsrp is inactive
VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members myself uptime
total number of vsd groups: 0
Total iteration=0,time=0,max=0,m
RTO mirror info:
run time object sync: disabled
route synchronization: disabled
ping session sync: enabled
coldstart sync done
nsrp data packet forwarding is enabled
nsrp link info:
control channel: ethernet0/6 (ifnum: 10) mac: xxxxxxx1ee8a state: up
data channel: ethernet0/7 (ifnum: 11) mac: xxxxxxx1ee8b state: up
ha secondary path link not available
NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled
track ip: disabled
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmmm, FW1 is passing traffic so will have to look at getting a downtie window approved then. I forgot to say I used X-overs for the cabling, thats right isn't it?
Thanks for you help
Thanks for you help
crossover should be fine; as long as link is UP and some data is passing I would not doubt the cable. To be 100% sure we can assign some zone/unused IP and ping/telnet the interface [from other SSG].
Another thing which am thinking [don't think is anyhow related but want to be sure] is checking the bootloader version is same on both the boxes.
Article below shows how to check bootloader version:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10973
Following article explains how to upgrade bootloader (if needed):
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10949
SSG bootloader for 6.3 is available on Juniper website download page [but was last released in Sep 2009, so really don't think bootloader is the issue].
Thank you.
Another thing which am thinking [don't think is anyhow related but want to be sure] is checking the bootloader version is same on both the boxes.
Article below shows how to check bootloader version:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10973
Following article explains how to upgrade bootloader (if needed):
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10949
SSG bootloader for 6.3 is available on Juniper website download page [but was last released in Sep 2009, so really don't think bootloader is the issue].
Thank you.
Also, wanted to clarify that we do not need to do anything on FW01 [as NSRP is already active]; only FW02.
One more question; if you disconnect all ports from FW02 and from console enable NSRP, does the firewall still freeze up; if yes, then would suggest you to contact JTAC right away.
Thank you.
One more question; if you disconnect all ports from FW02 and from console enable NSRP, does the firewall still freeze up; if yes, then would suggest you to contact JTAC right away.
Thank you.
ASKER
There was an issue with the hardware itself and the box had to be replaced, thanks for your help dpk
http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_NSRP_resolution_guide.htm
Once ensured that configuration is proper and if you still run into issue update the thread.
Thank you.