NSRP

=Basics=


 * Non-Propagating NSRP config components:


 * What is a VSD-less NSRP cluster?


 * If Active/Passive firewall is running a Dynamic Routing Protocol, a NSRP VSD-less cluster can be configured.
 * VSD-less NSRP clusters separate the failover component of NSRP from session synchronization.
 * VSD-less NSRP clusters use individual unique interfaces, and will be able to establish adjacencies individually.
 * This avoids the problem of re-establishing adjacencies when a failover may occur.


 * What is HA Probe?

Source: juniper.net
 * The HA link probe is a function used for determining the health of a HA link.
 * By default, the physical state of the HA link is used to determine whether heartbeats should be sent and expected on the link.
 * When the physical state of the first HA link goes down, NSRP control messages will begin to exchange on the second HA link.
 * This assumes that the firewalls are connected back to back, which is not always the case.
 * If there is an intermediate switching layer, sometimes the physical links can remain up, but heartbeats cannot be received.
 * In this scenario, by default, both devices will attempt to become the master (split brain), and connectivity problems will likely result.
 * To address this, the HA link probe adds a logical connectivity test to the HA links so that if such a failure occurs, heartbeat messages first failover to the second HA link.
 * Configure the HA probe feature ONLY IF the HA links are connected through a layer 2 switch.


 * What is Secondary path?

Source: juniper.net
 * Secondary path is essentially a third NSRP HA link to be used to elect a VSD-Group master if for some reason both dedicated HA links were to fail.
 * The secondary path is different from the standard HA interfaces in that only Hello packets are sent on the secondary path to elect a master
 * It is meant to prevent split brain and nothing more.
 * It uses a forwarding interface so it is recommended that message authentication and encryption be performed, as messages will travel over a shared interface.
 * You must perform auth and encrypt settings on each device.
 * The secondary path itself is a forwarding interface which is the failsafe in cases where all HA links are down.
 * The secondary path is not used for synchronization of RTOs, however, and is invoked only after multiple failovers.
 * When invoked, a master is elected, and no RTOs are synchronized until an HA link is restored.


 * What are various NSRP states?

Source: juniper.net

For all the above state Transitions, NSRP Hello Message is used.


 * UNDEFINED
 * This occurs when the remote nsrp peer is not configured with corresponding VSD-Group or when the local device cannot successfully obtain remote peer's vsd status via HA link.


 * INIT:


 * This occurs when the Device has just boot-up and has sent the NSRP Hello thru the HA Link to identify any devices exist for the VSD-Group.
 * This should be a very short period.
 * It will transition to different state (starting with Backup) after the timer is expired.


 * BACKUP:


 * In this state the unit checks if there are other devices in the VSD-Group and check their states, if other devices are in Master or Primary Backup, it will stay in this state, else Election Process will occur.


 * PB (Primary Backup):


 * After the Election Process, the device will become Primary Backup, if another device exist as MASTER for the VSD-Group.


 * MASTER:


 * After the Election Process based on the Priority & Preempt, the device will become MASTER if no other device is MASTER for the VSD-Group.
 * This is the only state when the unit will be in Active State and Traffic will be passed thru the firewall.
 * In all other states the unit will stay inactive.


 * INELIGIBLE:


 * This is a state when an Administrator forces the device to not participate in the Election Process and stay inactive for the VSD-Group.
 * The command to put in this state is "exec nsrp vsd-group  mode ineligible"


 * INOPERABLE:


 * This is a state when one of the monitoring object for the VSD-Group has failed, the monitoring object can be Track-ip, Interface or Zone.
 * This state will prevent the device to participate in the Election Process and the device will stay inactive.

=Active-Backup=


 * NSRP Active/Backup configuration should be done prefereably using VSD-Group 0; otherwise manually add interfaces to the other VSD-Group.

When firewalls running NSRP lose connectivity to each other, both firewalls may become the Master of the same VSD Group at the same time. This condition is known as split-brain. Split brain is a highly undesirable condition as it may cause intermittent or complete outage of traffic flow. To resolve the split brain issue, you must ensure that at least one HA link connection is restored, which will allow the exchange of NSRP hello messages or heartbeats.
 * What is Split Brain? How to resolve it?

Steps to prevent split brain: Configure NSRP with 2 dedicated HA links. Configure the HA probe feature ONLY IF the HA links are connected through a layer 2 switch. Configure a secondary path, which is essentially a third NSRP HA link to be used to elect a VSD-Group master if for some reason both dedicated HA links were to fail.

If NSRP monitoring is enabled, it may be possible for both NSRP peers to become 'Inoperable' (eg. a target “track-ip” host is shutdown and becomes unreachable by both NSRP peers, or possibly a shared switch to a DMZ zone fails causing interface tracking to trip on both NSRP peers). In that event, all traffic required to cross the cluster would be impacted even though it may only be a portion of the network that is unreachable. Enabling the master-always-exist option will ensure that the cluster remains available and traffic to flow. set nsrp vsd-group master-always-exist
 * What is No Brain scenario? How to resolve it?

=Active-Active=

Basics
Benefits: Load sharing Routing flexibility

Pitfalls: Complex to design Data path forwarding may affect performance No dynamic route synchronization

Note: Total number of sessions are divided between two firewalls in an Active/Active configuration and cannot exceed the capacity of a single security device (otherwise, during failover, the excess sessions will be lost).


 * Steps to configure Active-Active NSRP:

1. unset vsd-group 0 2. Create vsd-group 1 & 2 in the cluster 3. Enabling tracking methods like interface monitoring and path monitoring 4. Set the VSI's, by default, all the interfaces are a part of VSD-group 0, so create a VSI to bind the interface to a VSD group 5. Set the routes


 * How Active-Active NSRP works:

=Troubleshooting= get config global
 * Command to check NSRP Sync Config only:


 * Track-IP in NSRP requires manage ips in untrust too from the same subnet. Instead of 1 public ip you need 3 public IPs.


 * 2 sets of HA clusters of ScreenOS Firewalls, Same Interfaces used in both sets, Same Cluster ID used will generate same Virtual MAC. So Packet delivery will fail in same LAN.

If the preempt option is enabled: exec nsrp vsd-group 0 mode ineligible
 * Forcing a Device from Master to Backup Device in NSRP:

If the preempt option is not enabled: exec nsrp vsd-group 0 mode backup

exec nsrp vsd-group 0 mode backup
 * To change the state of the firewall from ineligible to backup (or to make the firewall eligible to be backup):


 * Use of the NSRP HA Probe command when the firewall HA links are directly connected can cause the NSRP cluster to appear as if the HA connection is flapping. Source: juniper.net

Source: juniper.net 'get nsrp' output reports 'myself (ineligible)' when the VSD is ineligible.
 * How do you tell if the firewall VSD is in the ineligible state?

If the firewall prompt has a (I), it means the firewall is in the Inoperable state.

ssg550(B)-> get nsrp <---note that firewall prompt is not (I) nsrp version: 2.0

cluster info: cluster id: 1, no name local unit id: 10923520  <---note local unit ID of this firewall active units discovered: index: 0, unit id: 10923520, ctrl mac: 00121ea6ae07, data mac: 00121ea6ae07 index: 1, unit id:  8345472, ctrl mac: 0005857f5787, data mac: 0005857f5787 total number of units: 2 (snip) group priority preempt holddown inelig  master       PB other members 0     100 no             3 no      8345472     none myself(ineligible)  <--- total number of vsd groups: 1

=Lab=

Active-Active NSRP Setup

 * Step 1: Cluster and VSD Groups config:

Device A: set nsrp cluster id 1 unset nsrp vsd-group id 0 set nsrp vsd-group id 1 priority 1 set nsrp vsd-group id 1 preempt hold-down 10 set nsrp vsd-group id 1 preempt set nsrp vsd-group id 2 set nsrp vsd-group id 1 set nsrp monitor int eth1/2 set nsrp monitor int eth2/1 set nsrp rto-mirror sync save Device B: set nsrp cluster id 1 unset nsrp vsd-group id 0 set nsrp vsd-group id 2 priority 1 set nsrp vsd-group id 2 preempt hold-down 10 set nsrp vsd-group id 2 preempt set nsrp vsd-group id 1 set nsrp monitor int eth1/2 set nsrp monitor int eth2/1 set nsrp secondary-path ethernet2/1 set nsrp rto-mirror sync save

Both firewalls are in a cluster now, all subsequent commands need to be run on Active device only.


 * Step 2: VSI Config (Virtual Security Interfaces):

set int ethernet1/2 zone untrust set int ethernet1/2:1 ip 20.1.1.1/24 set int ethernet1/2:2 ip 20.1.1.2/24 set int ethernet2/1 zone trust set int ethernet2/1:1 ip 10.1.1.1/24 set int ethernet2/1:2 ip 10.1.1.2/24

By default, all the interfaces are a part of VSD-group 0. We need to create a VSI to bind the interface to a VSD group.


 * Step 3: Set the routes:

set vrouter trust-vr route 0.0.0.0/0 interface ethernet1/2:1 gateway 20.1.1.254 set vrouter trust-vr route 0.0.0.0/0 interface ethernet1/2:2 gateway 20.1.1.254 save

Active-Backup NSRP Setup
=References=