ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

What happens to a cluster if NSRP monitored interfaces go down on both of them?

09.03.09   |  
‎09-03-2009 05:33 AM

So I've got a pair of firewalls in a cluster. I have NSRP interface monitoring with a weight of 255 on eth2/1 on both of the FWs in the cluster.

 

My question is if eth2/1 went physically down on both of them, what would happen? I know if it went down on one it would fail over b/c the one that is down would be ineligible, but you would think in this situation both FWs are ineligible since both monitored interfaces are down.

1 REPLY
ScreenOS Firewalls (NOT SRX)

Re: What happens to a cluster if NSRP monitored interfaces go down on both of them?

[ Edited ]
09.03.09   |  
‎09-03-2009 05:39 AM

your entire firewall system will stop passing traffic.  i found out about this the hard way, whilst in the process of an isp migration.  you can remedy it using 'master always exist', see the following kb article for details:

 

http://kb.juniper.net/KB8947

 

also, check out the following document as it details very well how to configure nsrp to make sure you avoid any of the pitfalls i came across when i inherited a cluster:

 

http://kb.juniper.net/KB9809

Message Edited by AndyT on 09-03-2009 05:41 AM
Message Edited by AndyT on 09-03-2009 05:44 AM