Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  NSRP setup cannot reach shared IP

    Posted 10-31-2012 06:39

    All,

     

      I have two firewalls in a HA nsrp setup using the following commands:

     

    set int eth0/2 zone HA

    set nsrp cluster id 1
    set nsrp cluster name <Hostname> 
    set nsrp rto-mirror sync
    set nsrp vsd-group id 0 priority 50
    set nsrp vsd-group id 0 preempt

     

    and

     

    set int eth0/2 zone HA

    set nsrp cluster id 1
    set nsrp cluster name <Hostname>
    set nsrp rto-mirror sync
    set nsrp vsd-group id 0 preempt

     

    I have a shared IP on the interface and manage-ip addresses on the firewalls individually in this setup:

     

    x.x.x.65: Firewall A manage-ip

    x.x.x.66: NSRP Shared IP

    x.x.x.67: Firewall B manage-ip

     

    Ok now I can get to 65 and 67 but I cannot reach 66.  I have used this configuration for a large number of firewalls, but on about 25% of them I cannot reach the shared IP. (Which normally goes to the current nsrp master device)

     

    Thoughts?



  • 2.  RE: NSRP setup cannot reach shared IP

     
    Posted 10-31-2012 08:07

    in our setup we have:

     

    set interface ethernet0/0 ip 1.1.1.1/24

    set interface ethernet0/0 manage-ip 1.1.1.2

    set interface ethernet0/0 ip manageable

     

    We are able to ping both the virtual ip and the manage-ip.

     

    I would do debugs if you still see issues.

     

    Regards,

    Sam

     



  • 3.  RE: NSRP setup cannot reach shared IP

    Posted 10-31-2012 08:49

    Yes the interfaces are set to ip manageable.  I can run some debugs on it.  Do you have any suggestion where to start?

     

    George



  • 4.  RE: NSRP setup cannot reach shared IP
    Best Answer

     
    Posted 10-31-2012 08:55

    Hi George,

     

    i would do this.  (first making sure the cpu isn't too busy -- say, > 50%  "get perf cpu all detail")

     

     

    unset ff (repeat until 'invalid id')

    set ff src-ip y.y.y.y dst-ip x.x.x.66  (where y.y.y.y is the IP you're pinging from)

    set ff src-ip x.x.x.66 dst-ip y.y.y.y

    debug flow basic

    snoop filter delete

    snoop filter ip src-ip y.y.y.y dst-ip x.x.x.66

    snoop filter ip src-ip x.x.x.66 dst-ip y.y.y.y

    snoop (y for yes)

    clear db

     

    *** start to ping x.x.x.66 ***

     

    undebug all

    get db stream

     

     

     

    I would look to see if icmp request/replies are both received/sent by the firewall.  And if so, double-check the MAC addresses of the packets.  This set of debugs will also tell us if the firewall is dropping the packet.

     

     

    Regards,

    Sam



  • 5.  RE: NSRP setup cannot reach shared IP

    Posted 11-04-2012 03:01

    Hi,

     

    Can you paste the config for xx.66 from primary and secondary as well.

     

    You must be able to reach xx.66. That will be the ip where the traffic will be redirected. Also a flow filter will be a good help.

     

    Just make sure the default gateway on the pc are .66, The route is up and management is enabled.