This post describes how to rebuild a Juniper NSRP Cluster if the first Juniper firewall is already configured for NSRP.
Please make sure you have the following prerequisite on both Firewalls.
Minimum software and hardware requirements for configuring Active / Passive NSRP:
- Firewall’s with identical ScreenOS versions and license keys
- Firewall’s with identical hardware
- At least one interface on each firewall to be configured in the HA zone, which will be used for carrying control channel information
Configuration steps on the unconfigured Firewall.
Configure the Interface(s) for HA
If possible it makes sense to use the same Interface as used on the other device.
set interface ethernet0/4 zone HA
Configure the NSRP cluster id:
set nsrp cluster id 1
Both firewalls in the cluster must have the same Cluster ID number.
IMPORTANT: Other NSRP firewall pairs on the same segment must have a different set of cluster ids. Once the cluster id is set to a value, all the security interfaces will become part of the VSD-group 0, by default.
Configure cluster name for NSRP:
To define a single name for all cluster members, type the following CLI command:
set nsrp cluster name <name_str>
set nsrp vsd-group id <number> priority <number>
IMPORTANT: Make sure that the desired STANDBY firewall has a HIGHER priority configured than the preferred master. The firewall with the lower priority will be the active master in the cluster!
Connect only the HA link cable to the interface that is configured for the HA zone.
Check the nsrp cluster status:
You can check the nsrp cluster status via the configuration GUI or via CLI.
To check the NSRP cluster status via GUI connect to the actual master and navigate to Reports > System Log > Event and search for NSRP related entries.
To check the NSRP cluster status via CLI please connect to the actual standby via console. You can check the status with the following command:
get nsrp cluster
Synchronize the configurations:
To synchronize the configuration from the active to the standby unit, please connect to the standby unit via console and execute the following command:
exec nsrp sync global-config save
The following will be reported shortly after you enter the above command:
load peer system config to save firewall-B(B)-> Save global configuration successfully. firewall-B(B)-> Save local configuration successfully. firewall-B(B)-> Done. firewall-B(B)-> Please reset your box to let cluster configuration to take effect!
Reset the Firewall:
IMPORTANT: If you are prompted to save the configuration after you enter the reset command, answer n (No). Then, proceed with the reboot by answering y (Yes).
firewall-B(B)-> reset firewall-B(B)-> Configuration modified. Save? [y]/n n firewall-B(B)-> System reset. Are you sure? y/[n] y
Check if the configurations are in sync:
Please execute the following command via CLI (console connection) on the backup firewall to check if the configurations are in sync:
exec nsrp sync global-config check-sum
Please connect all other interfaces in the correct order to the standby unit.
Initial manual failover:
exec nsrp vsd-group 0 mode ineligible
|get nsrp cluster||Show cluster info|
|get nsrp monitor||Show list of monitored interfaces|
|get nsrp vsd id 0||Show VSD id 0|
|get counters ha||Show HA interface hardware counters|
|exec nsrp sync global-config check-sum||Allows you to see if the cluster configs are syncronised|
|exec nsrp sync global save||Sync’s the nodes.A reboot is required to complete the update.|
|exec nsrp vsd-group 0 mode||Fails over the cluster. Run this command on the Master node.|
Current Settings / Values
|get envar||get environment variable|
|get config||get device configuration|
|get system||get system information|
|get arp||get arp cache|
|get route||get routing table|