Screen OS

 View Only
last person joined: 6 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  ISG2000 High Availability issue

    Posted 01-17-2019 23:44

    Hello experts,

    We have a deployment of CoreFirewalls ISG2000 x 2 in HA. recently i observed that the backup unit is giving RED indication of HA LED. I don't know much about the HA config but it seems like something wrong with the HA and this light should be GREEN in colour normaly.

    My question is

    What does it mean and how could i troubleshoot this? so that it turns GREEN ?

    Any troubleshooting commands?

     


    #highavailability
    #netscreen
    #cluster
    #HA
    #ISG2000


  • 2.  RE: ISG2000 High Availability issue

    Posted 01-17-2019 23:49

    Hi

    Please check the https://kb.juniper.net/InfoCenter/index?page=content&id=KB22874&cat=SCREENOS&actp=LIST for details on the HA LED.

     

    Can you paste the 'get nsrp' output from the device to check it ?

     

    Thanks,

    Vikas



  • 3.  RE: ISG2000 High Availability issue

    Posted 01-18-2019 00:09

    Hi Vikas,

    Check the output

    Also KB shows RED indication means inoperable state. 

     

    CORE-FIREWALL-1(M)-> get nsrp
    nsrp version: 2.0

    cluster info:
    cluster id: 1, no name
    local unit id: 9628416
    active units discovered:
    index: 0, unit id: 9628416, ctrl mac: 00268892eb16 , data mac: 00268892eb16
    index: 1, unit id: 9693312, ctrl mac: 00268893e896 , data mac: 00268893e896
    total number of units: 2

    VSD group info:
    init hold time: 5
    heartbeat lost threshold: 3
    heartbeat interval: 1000(ms)
    master always exist: disabled
    group priority preempt holddown inelig master PB other members myself uptime
    0 50 yes 3 no myself none 9693312(inoperable) 01:46:05
    total number of vsd groups: 1
    Total iteration=6537,time=18700033,max=388640,min=921,average=2860

    RTO mirror info:
    run time object sync: enabled
    route synchronization: enabled
    ping session sync: enabled
    coldstart sync done
    nsrp data packet forwarding is enabled

    nsrp link info:
    control channel: ethernet2/2 (ifnum: 22) mac: 00268892eb16 state: up
    data channel: ethernet2/2 (ifnum: 22) mac: 00268892eb16 state: up
    ha secondary path link not available

    NSRP encryption: disabled
    NSRP authentication: disabled
    device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
    device based nsrp monitor interface:
    device based nsrp monitor zone:
    device based nsrp track ip: (weight: 255, disabled)
    number of gratuitous arps: 4 (default)
    config sync: enabled

    track ip: disabled

     



  • 4.  RE: ISG2000 High Availability issue

    Posted 01-18-2019 00:28

    Device seems to be in the inoperable state.
    0     50       yes        3         no    myself none 9693312(inoperable) 01:46:05

     

    Can you please get the below details from both the devices, not only one:

     

    get nesrp

    get nsrp monitor (also included in 'get nsrp' output)
    get nsrp monitor interface
    get nsrp monitor zone

    get config | include nsrp


    Check the 'get event' for 01:46:05 hours before if there is any details why it went to inoperable state.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB11451&actp=METADATA

     

    Thanks,

    Vikas



  • 5.  RE: ISG2000 High Availability issue

    Posted 01-18-2019 02:18

    Hello Vikas,

    I don't see anything suspecious at the mentioned time as pasted below

     

    CORE-FIREWALL-1(M)-> get event | include 01:46:05
    2019-01-18 01:46:05 system info 00536 IKE 10.50.66.45 Phase 2 msg ID
    2019-01-18 01:46:05 system info 00536 IKE 10.50.66.45 phase 2:The symmetric
    2019-01-18 01:46:05 system info 00536 IKE 10.50.66.45 Phase 2 msg ID

     

    Also desired outputs are geiven below 

    CORE-FIREWALL-1(M)-> get config | include nsrp
    set nsrp cluster id 1
    set nsrp rto-mirror sync
    set nsrp rto-mirror route
    set nsrp vsd-group id 0 priority 50
    set nsrp vsd-group id 0 preempt
    set nsrp vsd-group id 0 monitor interface ethernet1/1
    set nsrp vsd-group id 0 monitor interface ethernet1/2

    CORE-FIREWALL-1(M)-> get nsrp monitor
    device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
    device based nsrp monitor interface:
    device based nsrp monitor zone:
    device based nsrp track ip: (weight: 255, disabled)

     

    CORE-FIREWALL-1(M)-> get nsrp monitor interface all
    device based nsrp monitor interface:

    VSD group 0 monitor interface: ethernet1/1(weight 255, UP) ethernet1/2(weight 255, UP)

     

    CORE-FIREWALL-1(M)-> get nsrp monitor zone all
    device based nsrp monitor zone:

    VSD group 0 monitor zone:

     

     



  • 6.  RE: ISG2000 High Availability issue

    Posted 01-18-2019 02:55

    Hi,

     

    As I mentioned earlier please check the data from both the firewalls, NSRP config is not synchronized. From the current snippet, this firewall is Master and seems to be working fine however other firewall is in inoperable state and needs to be checked :

     

    local unit id: 9628416
    group priority preempt holddown inelig master  PB       other members              myself uptime
    0          50       yes             3              no     myself  none   9693312(inoperable)       01:46:05     <-- unit id of the other node .

     

    Please check the the same output on the other node:

     

    get nsrp

    get config | in nsrp

    get event   | nsrp    or  change  or status

     

    Thanks,

    Vikas

     



  • 7.  RE: ISG2000 High Availability issue

    Posted 01-18-2019 03:48

    Ok thanks,  i will get the desired info and will share it for further troubleshooting. 



  • 8.  RE: ISG2000 High Availability issue

    Posted 01-21-2019 09:27

    Hello

     

    Check the output from another Node 

     

    CORE-FIREWALL-2(I)-> get nsrp 
    nsrp version: 2.0

    cluster info:
    cluster id: 1, no name
    local unit id: 9693312
    active units discovered: 
    index: 0, unit id: 9693312, ctrl mac: 00268893e896 , data mac: 00268893e896
    index: 1, unit id: 9628416, ctrl mac: 00268892eb16 , data mac: 00268892eb16
    total number of units: 2

    VSD group info:
    init hold time: 5
    heartbeat lost threshold: 3
    heartbeat interval: 1000(ms)
    master always exist: disabled
    group priority preempt holddown inelig master PB other members myself uptime
    0 100 no 3 no 9628416 none myself(inoperable) 07:09:23 
    total number of vsd groups: 1
    Total iteration=25764,time=75214168,max=388773,min=962,average=2919

    RTO mirror info:
    run time object sync: enabled
    route synchronization: enabled
    ping session sync: enabled
    coldstart sync done
    nsrp data packet forwarding is enabled

    nsrp link info:
    control channel: ethernet2/2 (ifnum: 22) mac: 00268893e896 state: up
    data channel: ethernet2/2 (ifnum: 22) mac: 00268893e896 state: up
    ha secondary path link not available

    NSRP encryption: disabled
    NSRP authentication: disabled 
    device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
    device based nsrp monitor interface: 
    device based nsrp monitor zone: 
    device based nsrp track ip: (weight: 255, disabled)
    number of gratuitous arps: 4 (default)
    config sync: enabled

    track ip: disabled

     

    CORE-FIREWALL-2(I)-> get config | include nsrp
    set nsrp cluster id 1
    set nsrp rto-mirror sync
    set nsrp rto-mirror route
    set nsrp vsd-group id 0 priority 100
    set nsrp vsd-group id 0 monitor interface ethernet1/1
    set nsrp vsd-group id 0 monitor interface ethernet1/2

     

    CORE-FIREWALL-2(I)-> get nsrp monitor interface all 
    device based nsrp monitor interface:

    VSD group 0 monitor interface: ethernet1/1(weight 255, UP) ethernet1/2(weight 255, DOWN)

     

    CORE-FIREWALL-2(I)-> get nsrp cluster 
    cluster id: 1, no name
    local unit id: 9693312
    active units discovered: 
    index: 0, unit id: 9693312, ctrl mac: 00268893e896 , data mac: 00268893e896
    index: 1, unit id: 9628416, ctrl mac: 00268892eb16 , data mac: 00268892eb16
    total number of units: 2

     

    CORE-FIREWALL-2(I)-> get nsrp rto-mirror

    RTO mirror info:
    run time object sync: enabled
    route synchronization: enabled
    ping session sync: enabled
    coldstart sync done

     

    In above stats i have found eth1/2 down, and after properly inserting the cable, it came UP.

    Now i have following questions

    1). Will the changes made on Master( during the time back in INOPERABLE state)  be auto copied to Backup ? or some manual command needs to be run?

    2). What's the track IP option used for? do i need to track any IP? 

    3). What is the function of rto-mirror? what info it gives us ?

    4). I have another interface which i want to track/monitor, Do i need another VSD group? 



  • 9.  RE: ISG2000 High Availability issue
    Best Answer

    Posted 01-21-2019 20:58

     

    1). Will the changes made on Master( during the time back in INOPERABLE state)  be auto copied to Backup ? or some manual command needs to be run?

    Vikas : Yes, nothing extra needed to sync the config.

     

    2). What's the track IP option used for? do i need to track any IP? 

    Vikas: Track-ip is another mechanism to initiate failover if it fails. Device pings/probes a configured IP and if fails then failover is initiated.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB11357&actp=METADATA

    https://www.juniper.net/documentation/software/screenos/screenos6.3.0/630_ce_HA.pdf

     

    3). What is the function of rto-mirror? what info it gives us ?

    Vikas: https://kb.juniper.net/InfoCenter/index?page=content&id=KB7039&act=login

     

    4). I have another interface which i want to track/monitor, Do i need another VSD group? 

    Vikas : Not needed if you are not using any other vsd except default vsd 0 .

     

    Thanks,

    Vikas



  • 10.  RE: ISG2000 High Availability issue

    Posted 01-22-2019 01:47

    Thanks @ 

    Is there any netscreen command  equivalent to " >request routing-engine login " , or any other way to login to Backup node. 



  • 11.  RE: ISG2000 High Availability issue

    Posted 01-22-2019 01:51

    Unfortunately, there is no way to login from one node to other over the HA links. You need to have ip, manage-ip configured on the interfaces to access Master and backup bode accordingly.

     

    Thanks,

    Vikas