ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

ISG2000 High Availability issue

‎01-17-2019 11:44 PM

Hello experts,

We have a deployment of CoreFirewalls ISG2000 x 2 in HA. recently i observed that the backup unit is giving RED indication of HA LED. I don't know much about the HA config but it seems like something wrong with the HA and this light should be GREEN in colour normaly.

My question is

What does it mean and how could i troubleshoot this? so that it turns GREEN ?

Any troubleshooting commands?

 

10 REPLIES 10
ScreenOS Firewalls (NOT SRX)

Re: ISG2000 High Availability issue

‎01-17-2019 11:49 PM

Hi

Please check the https://kb.juniper.net/InfoCenter/index?page=content&id=KB22874&cat=SCREENOS&actp=LIST for details on the HA LED.

 

Can you paste the 'get nsrp' output from the device to check it ?

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: ISG2000 High Availability issue

‎01-18-2019 12:09 AM

Hi Vikas,

Check the output

Also KB shows RED indication means inoperable state. 

 

CORE-FIREWALL-1(M)-> get nsrp
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 9628416
active units discovered:
index: 0, unit id: 9628416, ctrl mac: 00268892eb16 , data mac: 00268892eb16
index: 1, unit id: 9693312, ctrl mac: 00268893e896 , data mac: 00268893e896
total number of units: 2

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members myself uptime
0 50 yes 3 no myself none 9693312(inoperable) 01:46:05
total number of vsd groups: 1
Total iteration=6537,time=18700033,max=388640,min=921,average=2860

RTO mirror info:
run time object sync: enabled
route synchronization: enabled
ping session sync: enabled
coldstart sync done
nsrp data packet forwarding is enabled

nsrp link info:
control channel: ethernet2/2 (ifnum: 22) mac: 00268892eb16 state: up
data channel: ethernet2/2 (ifnum: 22) mac: 00268892eb16 state: up
ha secondary path link not available

NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled

track ip: disabled

 

ScreenOS Firewalls (NOT SRX)

Re: ISG2000 High Availability issue

‎01-18-2019 12:27 AM

Device seems to be in the inoperable state.
0     50       yes        3         no    myself none 9693312(inoperable) 01:46:05

 

Can you please get the below details from both the devices, not only one:

 

get nesrp

get nsrp monitor (also included in 'get nsrp' output)
get nsrp monitor interface
get nsrp monitor zone

get config | include nsrp


Check the 'get event' for 01:46:05 hours before if there is any details why it went to inoperable state.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB11451&actp=METADATA

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: ISG2000 High Availability issue

‎01-18-2019 02:18 AM

Hello Vikas,

I don't see anything suspecious at the mentioned time as pasted below

 

CORE-FIREWALL-1(M)-> get event | include 01:46:05
2019-01-18 01:46:05 system info 00536 IKE 10.50.66.45 Phase 2 msg ID
2019-01-18 01:46:05 system info 00536 IKE 10.50.66.45 phase 2:The symmetric
2019-01-18 01:46:05 system info 00536 IKE 10.50.66.45 Phase 2 msg ID

 

Also desired outputs are geiven below 

CORE-FIREWALL-1(M)-> get config | include nsrp
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp rto-mirror route
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 monitor interface ethernet1/1
set nsrp vsd-group id 0 monitor interface ethernet1/2

CORE-FIREWALL-1(M)-> get nsrp monitor
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface:
device based nsrp monitor zone:
device based nsrp track ip: (weight: 255, disabled)

 

CORE-FIREWALL-1(M)-> get nsrp monitor interface all
device based nsrp monitor interface:

VSD group 0 monitor interface: ethernet1/1(weight 255, UP) ethernet1/2(weight 255, UP)

 

CORE-FIREWALL-1(M)-> get nsrp monitor zone all
device based nsrp monitor zone:

VSD group 0 monitor zone:

 

 

ScreenOS Firewalls (NOT SRX)

Re: ISG2000 High Availability issue

‎01-18-2019 02:55 AM

Hi,

 

As I mentioned earlier please check the data from both the firewalls, NSRP config is not synchronized. From the current snippet, this firewall is Master and seems to be working fine however other firewall is in inoperable state and needs to be checked :

 

local unit id: 9628416
group priority preempt holddown inelig master  PB       other members              myself uptime
0          50       yes             3              no     myself  none   9693312(inoperable)       01:46:05     <-- unit id of the other node .

 

Please check the the same output on the other node:

 

get nsrp

get config | in nsrp

get event   | nsrp    or  change  or status

 

Thanks,

Vikas

 

ScreenOS Firewalls (NOT SRX)

Re: ISG2000 High Availability issue

‎01-18-2019 03:47 AM

Ok thanks,  i will get the desired info and will share it for further troubleshooting. 

ScreenOS Firewalls (NOT SRX)

Re: ISG2000 High Availability issue

‎01-21-2019 09:26 AM

Hello

 

Check the output from another Node 

 

CORE-FIREWALL-2(I)-> get nsrp 
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 9693312
active units discovered: 
index: 0, unit id: 9693312, ctrl mac: 00268893e896 , data mac: 00268893e896
index: 1, unit id: 9628416, ctrl mac: 00268892eb16 , data mac: 00268892eb16
total number of units: 2

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members myself uptime
0 100 no 3 no 9628416 none myself(inoperable) 07:09:23 
total number of vsd groups: 1
Total iteration=25764,time=75214168,max=388773,min=962,average=2919

RTO mirror info:
run time object sync: enabled
route synchronization: enabled
ping session sync: enabled
coldstart sync done
nsrp data packet forwarding is enabled

nsrp link info:
control channel: ethernet2/2 (ifnum: 22) mac: 00268893e896 state: up
data channel: ethernet2/2 (ifnum: 22) mac: 00268893e896 state: up
ha secondary path link not available

NSRP encryption: disabled
NSRP authentication: disabled 
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface: 
device based nsrp monitor zone: 
device based nsrp track ip: (weight: 255, disabled)
number of gratuitous arps: 4 (default)
config sync: enabled

track ip: disabled

 

CORE-FIREWALL-2(I)-> get config | include nsrp
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp rto-mirror route
set nsrp vsd-group id 0 priority 100
set nsrp vsd-group id 0 monitor interface ethernet1/1
set nsrp vsd-group id 0 monitor interface ethernet1/2

 

CORE-FIREWALL-2(I)-> get nsrp monitor interface all 
device based nsrp monitor interface:

VSD group 0 monitor interface: ethernet1/1(weight 255, UP) ethernet1/2(weight 255, DOWN)

 

CORE-FIREWALL-2(I)-> get nsrp cluster 
cluster id: 1, no name
local unit id: 9693312
active units discovered: 
index: 0, unit id: 9693312, ctrl mac: 00268893e896 , data mac: 00268893e896
index: 1, unit id: 9628416, ctrl mac: 00268892eb16 , data mac: 00268892eb16
total number of units: 2

 

CORE-FIREWALL-2(I)-> get nsrp rto-mirror

RTO mirror info:
run time object sync: enabled
route synchronization: enabled
ping session sync: enabled
coldstart sync done

 

In above stats i have found eth1/2 down, and after properly inserting the cable, it came UP.

Now i have following questions

1). Will the changes made on Master( during the time back in INOPERABLE state)  be auto copied to Backup ? or some manual command needs to be run?

2). What's the track IP option used for? do i need to track any IP? 

3). What is the function of rto-mirror? what info it gives us ?

4). I have another interface which i want to track/monitor, Do i need another VSD group? 

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author AZkhan
‎01-22-2019 01:36 AM

Re: ISG2000 High Availability issue

‎01-21-2019 08:58 PM

 

1). Will the changes made on Master( during the time back in INOPERABLE state)  be auto copied to Backup ? or some manual command needs to be run?

Vikas : Yes, nothing extra needed to sync the config.

 

2). What's the track IP option used for? do i need to track any IP? 

Vikas: Track-ip is another mechanism to initiate failover if it fails. Device pings/probes a configured IP and if fails then failover is initiated.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB11357&actp=METADATA

https://www.juniper.net/documentation/software/screenos/screenos6.3.0/630_ce_HA.pdf

 

3). What is the function of rto-mirror? what info it gives us ?

Vikas: https://kb.juniper.net/InfoCenter/index?page=content&id=KB7039&act=login

 

4). I have another interface which i want to track/monitor, Do i need another VSD group? 

Vikas : Not needed if you are not using any other vsd except default vsd 0 .

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: ISG2000 High Availability issue

‎01-22-2019 01:47 AM

Thanks @ 

Is there any netscreen command  equivalent to " >request routing-engine login " , or any other way to login to Backup node. 

ScreenOS Firewalls (NOT SRX)

Re: ISG2000 High Availability issue

‎01-22-2019 01:51 AM

Unfortunately, there is no way to login from one node to other over the HA links. You need to have ip, manage-ip configured on the interfaces to access Master and backup bode accordingly.

 

Thanks,

Vikas