Screen OS

Hello

I got two clusters, ISG1000 and SSG550M. Clusters are connected directly (lack of switches / ports).

ISGs are connected by single HA link (plus secondary heartbeat only), control and data channels are same interface and up.

I enabled nsrp data forwarding and want to test it.

ISG1 / SSG1 are active for their VSDs0, ISG1/SSG1 is active for VSDs1, ISG2/SSG2 are active for VSDs2. Cluster are separete (different ID).

I set up routing at PC to red 1 as default gateway. I can ping SSG1 eth0:1 (through Red1 ISG1 ->SSG1), but I can't ping SSG2 eth0:2 (through Red1 ISG1 -> HA ->ISG2).

                        cluster1                  cluster2

                        ---------                ----------- 

        | -red1:1 -- ISG1  eht0/1:1 -- eth0:1  SSG1
        |               ---------                -----------

 PC --|  red1             |HA eth0/2               |HA eth1

        |                     |                            |

        |               ---------                -----------

        |- red1:2 -- ISG2  eth0/1:2 -- eth0:2  SSG2
                        ---------                -----------

On ISG1 I see:

get nsrp counters packet-forwarding 

packet forward send count: 4
packet forward received count: 0
packet forward dropped count: 0

On ISG2 I see:

get nsrp counters packet-forwarding 

packet forward send count: 0

packet forward received count: 0
packet forward dropped count:4

On ISG1 in debug nsrp packet-forward I see packet was sent to ISG2. 

Anyone knows why these packets are dropped? In debug nsrp packet-forward and debug flow basic at ISG2 I see nothing (empty). In debug nsrp all there is a lot, but nothing about source/destination address.

Same thing when I set routing at PC to red1:1.

Best Regards

Mateusz Grzesiak

Hi Makak,

Can you do the same test but instead of directly connect your devices , plug the cable int a L2 switch ( eht0/1:1 , eth0:1 , eth0/1:2 and  eth0:2 ).

Not any soon, this is remote location.

These devices ping eachother -  eth0/1:1 - eth0:1 and eth0/1:2 - eth0:2

What's on your mind with switch if you mind telling me? 🙂

You don t have a HA DATA Link in this case true ? I m afraid that the flow can't go until its destination in  your case , because the device are directly connected and there is no way to access directly to the interface.

You mean dedicated secondary HA link for passing data?

If I had the switch I wouldn't need HA data forwarding nor VSIs 😉

I thought from counters above, that in fact packets are sent through HA link, but dropped, not received.

Maybe one day I'll try to connect secondary HA link for data transmit and I'll test it.

Thank you anyway.

Best Regards 

Hi Makak

If you have only one HA link you loose the data forwarding i guess . Here is an explanation from the Juniper CE

... a failure of the data link results in one active HA link for
control messages only. If the control link fails on such devices, then the data link
becomes the control link and sends and receives control messages only ....

So in your case , there is certainly no data forwarding via HA link. 

It's quite misleading then:

get nsrp ha-link

probe on ha-link is enabled, interval 1s, threshold 5
control   channel: ethernet0/2 (ifnum: 24)  mac: 001bc064cd98 state: up(probe)
data      channel: ethernet0/2 (ifnum: 24)  mac: 001bc064cd98 state: up(probe)
secondary path channel: ethernet2/1 (ifnum: 21)  mac: 001bc064cd95 state: up(probe)

I'll set another port for HA then. Thank you very much.

Makak,

the output u pasted:

get nsrp ha-link

probe on ha-link is enabled, interval 1s, threshold 5
control   channel: ethernet0/2 (ifnum: 24)  mac: 001bc064cd98 state: up(probe)
data      channel: ethernet0/2 (ifnum: 24)  mac: 001bc064cd98 state: up(probe)
secondary path channel: ethernet2/1 (ifnum: 21)  mac: 001bc064cd95 state: up(probe)

this means you have 1 HA link that is acting as control and as data,

in juniper when u connect a gig interface as an HA even if it is only 1 interface it acts as a control chanel and as a data chanel at the same time, so adding an extra link wont do u any good..

data packets should work fine 

That's not quite true. You really should be using 2 links regardless. Using  a single link may render your firewall both thinking that the other has failed if the single HA link that you have fails. You theoretically inject a single point of failure in the environment. You should use 2 HA links.

To better distribute the out-of-band bandwidth, HA1 handles the NSRP control

messages while HA2 handles the network data messages. If either port fails on a

security device with gigabit HA1 and HA2 interfaces, the remaining active port

assumes both kinds of traffic. For security devices that must use a 100-megabit

interface for the data link, a failure of the data link results in one active HA link for

control messages only. If the control link fails on such devices, then the data link

becomes the control link and sends and receives control messages only.