We help IT Professionals succeed at work.

Back-up Juniper SSG140 freezes when I try to configure NSRP

Chris_944
Chris_944 asked
on
I have 2 Juniper SSG140's fully configured that I am trying to set up as a pair. Followed the basic active/passive config guide on the Juniper website and the master takes all the config with no issues, however as soon as I enter the 'set nsrp cluster id 1' cmd on the backup device it freezes and won't come back until it's rebooted. When it comes back up it's without the cluster ID set.

Any ideas of why this happens? please just let me know what config you need to see in order to help with this issue.

Regards
Chris
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
Have a look at link below:
http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_NSRP_resolution_guide.htm

Once ensured that configuration is proper and if you still run into issue update the thread.

Thank you.

Author

Commented:
Right, I have been through the 'How do I configure NSRP' guide KB9809 on the link you sent. Everything looks good up to point 7 where I try to enter the minimum NSRP configuration. This then gives me the same behaviour as explained above. The back-up firewall freezes and has to be restarted.

I am at a loss. I have run through the configuration of 2 other ssg140's that are running NSRP and everything looks the same.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Which version of SOS are you running. Can you ensure that cabling is proper and that HA link is indeed UP [before you start setting NSRP].

Please post sanitized output of commands below from both the boxes [please indicate the box with problem]:
get interface
get nsrp

Thank you.

Author

Commented:
Hi
Both boxes are running firmware version 6.3.0r9.0

FW2 is the one with the issues, please find all output requested below.

Thanks Again!!

FW01(M)-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD
eth0/0         198.12.63.44/29                   Untrust     0000.0000.0000    -   U   0
eth0/1         0.0.0.0/0                         Null        0000.0000.0000    -   D   0
eth0/2         0.0.0.0/0                         Null        0000.0000.0000    -   U   0
eth0/2.1       10.0.0.217/29                     SW-Mgmt     0000.0000.0000  xx9   U   0
eth0/2.2       10.0.1.193/28                          one_test    0000.0000.0000  xx0   U   0
eth0/2.3       10.0.2.193/26                     two_Test    0000.0000.0000  xx1   U   0
eth0/2.4       10.0.2.129/27                     thr_Test    0000.0000.0000  xx2   U   0
eth0/2.5       10.0.2.209/29                     fou_Test    0000.0000.0000  xx3   U   0
eth0/2.6       10.0.2.161/27                     fiv_Test    0000.0000.0000  xx4   U   0
eth0/3         0.0.0.0/0                         Null        0000.0000.0000    -   D   0
eth0/4         0.0.0.0/0                         Null        0000.0000.0000    -   D   0
eth0/5         0.0.0.0/0                         Null        0000.0000.0000    -   D   0
eth0/6         0.0.0.0/0                         HA          0000.0000.0000    -   U   -
eth0/7         0.0.0.0/0                         HA          0000.0000.0000    -   U   -
eth0/8         0.0.0.0/0                         Null        0000.0000.0000    -   D   0
eth0/9         0.0.0.0/0                         Null        0000.0000.0000    -   D   0
bgroup0/0      0.0.0.0/0                         Null        0000.0000.0000    -   D   0
bgroup0/1      0.0.0.0/0                         Null        0000.0000.0000    -   D   0
bgroup0/2      0.0.0.0/0                         Null        0000.0000.0000    -   D   0
vlan1          0.0.0.0/0                         VLAN        0000.0000.0000    1   D   0
null           0.0.0.0/0                         Null        N/A               -   U   0

FW01(M)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 11052416
active units discovered:
index: 0, unit id:  11052416, ctrl mac: xxxxxxx8a58a , data mac: xxxxxxx8a58b
total number of units: 1

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members  myself uptime
    0      100 no             3 no       myself     none               3d;22:59:09
total number of vsd groups: 1
Total iteration=683940,time=1753801729,max=24644,min=88,average=2564

RTO mirror info:
run time object sync:   disabled
route synchronization: disabled
ping session sync: enabled
nsrp data packet forwarding is enabled

nsrp link info:
control   channel: ethernet0/6 (ifnum: 10)  mac: xxxxxxx8a58a state: up
data      channel: ethernet0/7 (ifnum: 11)  mac: xxxxxxx8a58b state: up
ha secondary path link not available

NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface: ethernet0/0(weight 255, UP) ethernet0/2(weight 255, UP)
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled

track ip: disabled


FW02-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address                        Zone        MAC            VLAN State VSD
eth0/0         198.12.63.46/29                   Untrust     0000.0000.0000    -   U   -
eth0/1         0.0.0.0/0                         Null        0000.0000.0000    -   D   -
eth0/2         0.0.0.0/0                         Null        0000.0000.0000    -   U   -
eth0/2.1       10.0.0.218/29                     SW-Mgmt     0000.0000.0000  xx9   U   -
eth0/2.2       10.0.1.194/28                     one_test    0000.0000.0000  xx0   U   -
eth0/2.3       10.0.2.194/26                     two_Test    0000.0000.0000  xx1   U   -
eth0/2.4       10.0.2.130/27                     thr_Test    0000.0000.0000  xx2   U   -
eth0/2.5       10.0.2.210/29                     fou_Test    0000.0000.0000  xx3   U   -
eth0/2.6       10.0.2.162/27                     fiv_Test    0000.0000.0000  xx4   U   -
eth0/3         0.0.0.0/0                         Null        0000.0000.0000    -   D   -
eth0/4         0.0.0.0/0                         Null        0000.0000.0000    -   D   -
eth0/5         0.0.0.0/0                         Null        0000.0000.0000    -   D   -
eth0/6         0.0.0.0/0                         HA          0000.0000.0000    -   U   -
eth0/7         0.0.0.0/0                         HA          0000.0000.0000    -   U   -
eth0/8         0.0.0.0/0                         Null        0000.0000.0000    -   D   -
eth0/9         0.0.0.0/0                         Null        0000.0000.0000    -   D   -
bgroup0/0      0.0.0.0/0                         Null        0000.0000.0000    -   D   -
bgroup0/1      0.0.0.0/0                         Null        0000.0000.0000    -   D   -
bgroup0/2      0.0.0.0/0                         Null        0000.0000.0000    -   D   -
vlan1          0.0.0.0/0                         VLAN        0000.0000.0000    1   D   -
null           0.0.0.0/0                         Null        N/A               -   U   -


FW02-> get nsrp
nsrp version: 2.0

cluster info:
 cluster id not set: nsrp is inactive

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig   master       PB other members  myself uptime
total number of vsd groups: 0
Total iteration=0,time=0,max=0,min=0,average=0

RTO mirror info:
run time object sync:   disabled
route synchronization: disabled
ping session sync: enabled
coldstart sync done
nsrp data packet forwarding is enabled

nsrp link info:
control   channel: ethernet0/6 (ifnum: 10)  mac: xxxxxxx1ee8a state: up
data      channel: ethernet0/7 (ifnum: 11)  mac: xxxxxxx1ee8b state: up
ha secondary path link not available

NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled

track ip: disabled
CERTIFIED EXPERT
Top Expert 2007
Commented:
6.3r9 is the latest version available.

From both boxes:
nsrp link info:
control   channel: ethernet0/6 (ifnum: 10)  mac: xxxxxxx1ee8a state: up
data      channel: ethernet0/7 (ifnum: 11)  mac: xxxxxxx1ee8b state: up

I do not see a reason why you are getting the behavior observed.

Reset the unit to factory defaults [login in on console with serial number as username and password]; reload the SOS firmware; and reconfigure just the interface, zones and nsrp and observe the results.
If still same then I would suggest you to contact JTAC as this might be a something they would be able to assist further.

Thank you.

Author

Commented:
Hmmm, FW1 is passing traffic so will have to look at getting a downtie window approved then. I forgot to say I used X-overs for the cabling, thats right isn't it?

Thanks for you help
CERTIFIED EXPERT
Top Expert 2007

Commented:
crossover should be fine; as long as link is UP and some data is passing I would not doubt the cable. To be 100% sure we can assign some zone/unused IP and ping/telnet the interface [from other SSG].

Another thing which am thinking [don't think is anyhow related but want to be sure] is checking the bootloader version is same on both the boxes.
Article below shows how to check bootloader version:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10973

Following article explains how to upgrade bootloader (if needed):
http://kb.juniper.net/InfoCenter/index?page=content&id=KB10949

SSG bootloader for 6.3 is available on Juniper website download page [but was last released in Sep 2009, so really don't think bootloader is the issue].

Thank you.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Also, wanted to clarify that we do not need to do anything on FW01 [as NSRP is already active]; only FW02.

One more question; if you disconnect all ports from FW02 and from console enable NSRP, does the firewall still freeze up; if yes, then would suggest you to contact JTAC right away.

Thank you.

Author

Commented:
There was an issue with the hardware itself and the box had to be replaced, thanks for your help dpk