Screen OS

Hello all,

I'm configuring HA while seeing the site : http://kb.juniper.net/InfoCenter/index?page=content&id=KB6015&actp=search

However, after configuring HA, I figured out the both device(SSG-140) emit light.

To tell the truth, I don't know how can I troubleshoot it even though I read the reason.

So I captured Master and Backup's alarm event!

I definitely followed manual..

Maybe anybody knows about it.

Please reply me.

Thank you so much.

                                           <Master's alarm event>

                                            <Backup's alarm event>

Do you have the HA1 and HA2 configured ports connected to each other on the SSG140?

this appears to be that the firewalls are not able to communicate on these links.

Yess!

I connected each other using eth0/0.

                  Sharer

                        |

F/W1(e0/0)------(e0/0FW2

                ┖  L2  ┘

                        |

                      PC

But, I didn't configure IP on eth0/0.

That is, ethe0/0 has 0.0.0.0 (default)

hmm

What can I do next step..?

The one appears Master, anohter appears Backup!!

Regards,

You need to choose a port that will provide HA connection between the two SSG140.  Sounds like yours will be eth0/0

This port will be configured as the HA port

set nsrp interface eth0/0

Full description

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11296

Ah thank you for good information!!

Sir, sorry to bothering you.

Actually, I'm still not successful to eliminate alarm LED!..

still emitting ORANGE. 

I already did "set nsrp inter e0/0"

<The clues>

SSG140(M)-> get alarm event
Date Time Module Level Type Description
2016-01-07 18:00:27 system crit 00015 Peer device 285184 in the Virtual
Security Device group 0 changed state
from init to primary backup.
2016-01-07 18:00:24 system crit 00015 Peer device 285184 in the Virtual
Security Device group 0 changed state
from undefined to init.
2016-01-07 18:00:23 system crit 00015 NSRP: HA control channel change to
ethernet0/0.
2016-01-07 18:00:23 system crit 00015 Peer device 285184 was discovered.
2016-01-07 18:00:12 system crit 00015 NSRP: HA control channel change to
NULL.(disconnected).
2016-01-07 18:00:10 system crit 00071 The local device 8497664 in the
Virtual Security Device group (0)
changed state from init to master,
missing master.
2016-01-07 18:00:03 system crit 00015 NSRP: HA control channel change to
ethernet0/0.

SSG140(M)-> get int

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
eth0/0 0.0.0.0/0 HA 001d.b581.aa00 - U -
eth0/1 192.168.10.80/24 Untrust 0010.dbff.2050 - U 0
eth0/2 10.0.0.1/24 Trust 0010.dbff.2060 - U 0
eth0/3 0.0.0.0/0 Null 0010.dbff.2070 - D 0
eth0/4 0.0.0.0/0 Null 0010.dbff.2080 - D 0
eth0/5 0.0.0.0/0 Null 0010.dbff.2090 - D 0
eth0/6 0.0.0.0/0 Null 0010.dbff.20a0 - D 0
eth0/7 0.0.0.0/0 Null 0010.dbff.20b0 - D 0
eth0/8 0.0.0.0/0 Null 0010.dbff.20c0 - D 0
eth0/9 0.0.0.0/0 Null 0010.dbff.20d0 - D 0
bgroup0/0 0.0.0.0/0 Null 0010.dbff.20e0 - D 0
bgroup0/1 0.0.0.0/0 Null 0010.dbff.2150 - D 0
bgroup0/2 0.0.0.0/0 Null 0010.dbff.2160 - D 0
vlan1 0.0.0.0/0 VLAN 0010.dbff.20f0 1 D 0
null 0.0.0.0/0 Null N/A - U 0

I think there is nothing special reason to emitting LED to Orange...

What do you think?

Thank you.,

The events listed seem to indicate that the NSRP cluster is correctly formed.

Can you check to see if there are other alarms

get alarm traffic

get alarm security all

You can also check the web interface on the home page for messages

As you requested, here is information.

SSG140(M)-> get alarm traffic
No entry matched.

SSG140(M)-> get alarm security all
ALARM SECURITY TOTAL : 0

SSG140(M)-> get alarm event
Date Time Module Level Type Description
2016-01-08 10:39:26 system crit 00015 Peer device 285184 in the Virtual
Security Device group 0 changed state
from init to primary backup.
2016-01-08 10:39:25 system crit 00071 The local device 8497664 in the
Virtual Security Device group (0)
changed state from init to master,
missing master.
2016-01-08 10:39:21 system crit 00015 Peer device 285184 in the Virtual
Security Device group 0 changed state
from inoperable to init.
2016-01-08 10:39:20 system crit 00070 The local device 8497664 in the
Virtual Security Device group 0
changed state from inoperable to init.
2016-01-08 10:38:18 system crit 00015 Peer device 285184 in the Virtual
Security Device group 0 changed state
from undefined to inoperable.
2016-01-08 10:38:17 system crit 00015 Peer device 285184 was discovered.
2016-01-08 10:38:17 system crit 00075 The local device 8497664 in the
Virtual Security Device group 0
changed state from init to inoperable.
2016-01-08 10:38:11 system crit 00015 NSRP: HA control channel change to
ethernet0/0.
Total entries matched = 8
SSG140(M)->

SSG140(M)-> get nsrp vsd-group all

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members myself uptime
0 50 yes 3 no myself 285184 00:27:25
total number of vsd groups: 1
Total iteration=3430,time=10316487,max=19781,min=88,average=3007

vsd group id: 0, member count: 2, master: 8497664
member information:
---------------------------------------------------------------------------------------------------------------------------
group      unit_id       state                    prio    flag rto_peer hb     miss holddown        uptime
---------------------------------------------------------------------------------------------------------------------------
0           285184      primary backup   100        0         0          1         0          3               00:27:24
0           8497664    master                   50         2         0           0         0          3               00:27:25

SSG140(M)->

SSG140(M)-> get alarm security statistics
TOTAL : 0
ACTIVE : 0
ACKED : 0
AUTO ACKED : 0
OVERWRITTEN : 0
LOG EXCLUDED : 0

                                                                            <Entire screen>

                                                                                     <interface>

And, the network structure is like below.

I configured like it. please refer..!

Anything else would I offer you?..

Looking at the log messages Ithink there is still an issue here.

2016-01-08 10:39:26 system crit 00015 Peer device 285184 in the Virtual
Security Device group 0 changed state
from init to primary backup.

The state of primary backup instead of just "backup" does not appear to be normal operations and might be the cause of the alarm.  I didn't notice this till you posted that other message and I believe these kb are the ones to check.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB7726

This asks to confirm that the HA probe is not set.

I would also check that your configurations are in sync

http://kb.juniper.net/InfoCenter/index?page=content&id=KB6359

Steve,

The PB (Primary Backup) state is normal -- http://kb.juniper.net/InfoCenter/index?page=content&id=KB5124&actp=search. All backup firewalls I've ever seen are in PB state. (With secondary interface via L2 device enabled.)

The first link you included seems to point to an article that's in review and is not visible.

Lastly, I believe OP is referring to the Alarm LED, not the HA LED. My observation is that the Alarm LED will come on any time an alarm-level event (or higher) shows up in the log, and the LED will remain lit  up red while the log contains those messages, even if whatever problem said messages refer to has been resolved.

 - Nikolay

Thank you, @nikolay.semov

Thanks to you, I kept up with the definition about Primary Backup.

However, I'm confused after seeing the URL you linked.

Basically, dual protocol is using just "2" devices, for example, Active/Standby.

So, I think that NSRP is also same meaning.

In the URL, the sentence was appeared at Backup definition : if other devices are in Master or Primary Backup

It means it is using 2 or more devices? even if it(NSRP) is dual? 

Am I thinking incorrectly?

Regards,

plus,

Do you think that its alarm is good status even though it indicated "critical".??

Indeed, the wording does suggest you can have more than two firewalls in a cluster, but I haven't seen a mock or real-world setup with more than two firewalls, so I can't speak to that.

As for your last question, I'm not sure what you're referring to.

Thank you @nikolay.semov !!

I think its syslog is not important when configuring HA kk

Regards,

I've fixed the link to the article above and I'll include it here

http://kb.juniper.net/InfoCenter/index?page=content&id=KB7726

This seems to indicate these messages are repeated when this setting is not correct.

I also note that the series of message seem to repeat, so I am not convinced the issue is cleared.  But I could be wrong.  Perhaps manually clearing the alarm will keep the alarm light off and all is well.

clear cluster led alarm

http://kb.juniper.net/InfoCenter/index?page=content&id=KB5394

Thank you @spuluka,

I think it is not important when configuring HA.

Regards,

As long as you have alarm level events in your log, the LED will be on. Even if you've resolved all issues related to the messages you see, the LED will be on. Even when the events are expected and harmless, the LED will be on.