Destination
This article provides information about the various options that can be used to manually fail over a NSRP firewall cluster from one device to another.
Symptoms
Information about the various options that can be used to manually fail over a NSRP firewall cluster from one device to another.
Solution
Option 1 - Force the current primary to become the backup:
Use the exec nsrp vsd-group mode backup command. This command must be used on the current Primary firewall. It will force the Primary to become the Backup, which in turn forces the Backup to become the Primary. To restore the previous Primary to this state again, repeat the process by using the same command on the new primary.
Note : Make sure that the original Primary device does not have NSRP preempt enabled; otherwise, it will automatically become the Primary again, if the NSRP priority is lower (=better) than the NSRP priority on the other device.
For example:
cluster:nsisg2000(M)-> exec nsrp vsd-group 0 mode backupinactive
Start deactivate session (vsd=0) ...
7 sessions deactivated
cluster:nsisg2000(B)->
Option 2 - Force the current Primary to become ineligible:
Use the exec nsrp vsd-group 0 mode ineligible command. This command isolates the firewall from the cluster by keeping it manageable, but not able to pass traffic. For example:
cluster:nsisg2000(M)-> exec nsrp vsd-group <group ID> mode ineligible
To bring the device back into the cluster, the firewall will have to be re-initialized via the following command:
cluster:nsisg2000(I)-> exec nsrp vsd-group <group ID> mode init
Option 3 - Interface failure/Track-IP failure:
If the firewall is monitoring an IP address via Track-IP or it is monitoring the status of the firewall interfaces, it is possible to cause a failover by either bringing down a monitored interface or making the Track-IP target unreachable. This will change the NSRP state of the firewall to Inoperable , which forces the primary backup to promote itself to the Primary state. It is possible to force an interface to go to the down state, without physically disconnecting it, by using the following command:
cluster:nsisg2000(M)-> set interface <interface name> phy link-down
To undo this command, use the following command:
cluster:nsisg2000(M)-> unset interface <interface name> phy link-down
After bringing the interface to the Up state again, the firewall will become the primary backup, if NSRP preempt is not configured on the device.
Option 4 - Increase the priority on the backup firewall:
If the cluster is enabled with preempt, increase the priority of backup firewall such that the backup firewall will automatically become the Primary of the cluster immediately after the NSRP election is completed. It is possible to enable the preempt in the device for which you would like to bring it up as Primary of the VSD-group.
To enable the preempt on the backup device :
cluster:nsisg2000(B)-> set nsrp vsd-group <group ID> preempt
To increase the priority of a firewall in a VSD-group :
cluster:nsisg2000(B)-> set nsrp vsd-group <group ID> priority < number between 0 - 250>
Note: Assign the priority to be a lower value than the priority of the preferred primary backup.
Modification History
2019-05-30: Added Option 4 to solution.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
