Basic NSRP Active/Active Setup

[KB11402] Show KB Properties

SUMMARY:
This article provides information on how to setup a HA pair with a simple Active/Active configuration.

PROBLEM OR GOAL:
This article addresses the following:
A.

Active/Active Overview

B.

Basic Configuration Example

C.

Active/Active Articles and References

CAUSE:
SOLUTION:
A. Active/Active Overview

ScreenOS allows you to configure your Juniper firewall HA cluster as Active/Active. Although Active/Passive is the most common
implementation, the Active/Active implementation has the following pro's and con's:
Pro's
:
Load sharing
:

Routing flexibility
:
Con's
:

Complex to design
:

Data path forwarding may affect performance

:

No dynamic route synchronization

Note: For an overview of NSRP Active/Active, refer to Chapter 1 of the following technical documentation:
Concepts & Examples ScreenOS Reference Guide -- Volume 11: High Availability
Chapter 1
ScreenOS 5.4 - Volume 11 - High Availability

ScreenOS 6.0 - Volume 11 - High Availability

B. Basic Configuration Example
In an Active/Active setup, Firewall-A is the master for one VSD group, such as VSD group 0, and Firewall-B is the master for the other
VSD group, such as VSD group 1. When Firewall-A fails, Firewall-B becomes the master for both 0 and 1 VSD groups and carries
100% of the traffic; So that you do not loose any sessions. In case of failure of one device, the total number of sessions at any given
time on both the firewalls should not exceed the maximum number of sessions a single firewall can handle.
Note: VSI interfaces of VSD group 0 look like normal interfaces, when administering the firewall. So, to avoid confusion, we suggest
to unset vsd-group id 0 and use vsd-group 1 & 2 for an Active/Active NSRP configuration.
Sample Configuration:
1. Set cluster and VSD Groups. This step involves the following:

Creating an NSRP cluster, which automatically includes the creation of VSD group 0. To avoid confusion we ' unset vsd-

group 0'.

Creating two VSD groups, vsd-group 1 & 2 within the cluster

Enabling device failure tracking methodssuch as interface monitoring and path monitoring
Device A

set nsrp cluster id 1

unset nsrp vsd-group id 0
set nsrp vsd-group id 1 priority 1
set nsrp vsd-group id 1 preempt hold-down 10
set nsrp vsd-group id 1 preempt
set nsrp vsd-group id 2
set nsrp vsd-group id 1
set nsrp monitor int eth1/2
set nsrp monitor int eth2/1
set nsrp rto-mirror sync
save
Device B

set nsrp cluster id 1

unset nsrp vsd-group id 0
set nsrp vsd-group id 2 priority 1
set nsrp vsd-group id 2 preempt hold-down 10
set nsrp vsd-group id 2 preempt
set nsrp vsd-group id 1
set nsrp monitor int eth1/2
set nsrp monitor int eth2/1
set nsrp secondary-path ethernet2/1
set nsrp rto-mirror sync
Note: As Firewall-A & Firewall-B are now in a cluster, all subsequent commands (except those otherwise noted) need to be run only
on one device' they will be automatically synced to the other device.
2. Set the VSI's (Virtual Security Interfaces):

set
set
set
set
set
set

int
int
int
int
int
int

ethernet1/2 zone
ethernet1/2:1 ip
ethernet1/2:2 ip
ethernet2/1 zone
ethernet2/1:1 ip
ethernet2/1:2 ip

untrust
210.1.1.1/24
210.1.1.2/24
trust
10.1.1.1/24
10.1.1.2/24

Interfaces in vsys Root:

Name
IP Address
VSD
mgt
192.168.40.94/24
ha1
0.0.0.0/0
ha2
0.0.0.0/0
eth2/1
193.63.74.233/28
eth2/1.1
192.168.56.99/27
eth2/1.2
193.62.116.217/29
eth2/1.3
193.62.116.225/29
eth2/2
193.63.74.131/28
eth2/2.1
193.62.125.1/24
eth2/2.2
193.62.121.1/26
eth2/2.3
192.168.56.177/28
eth2/2.4
193.62.126.1/24
eth2/2.5
193.62.121.129/26
eth2/2.6
193.62.116.129/28
eth2/2.7
192.168.52.1/30

Zone

MAC

VLAN State

MGT
HA
HA
Untrust
Untrust
Untrust
Untrust
Trust
ESC-DMZ
MEW-DMZ
STFC-DMZ
Untrust
Untrust
email-DMZ
HPCx-INT

0010.db42.6380
0010.db42.6385
0010.db42.6386
0010.db42.6387
0010.db42.6387
0010.db42.6387
0010.db42.6387
0010.db42.6388
0010.db42.6388
0010.db42.6388
0010.db42.6388
0010.db42.6388
0010.db42.6388
0010.db42.6388
0010.db42.6388

1000
1001
1002
16
66
83
26
79
2000
500

U
D
D
D
D
D
D
D
D
D
D
D
D
D
D

Note:By default, all the interfaces are a part of VSD-group 0. The VSI notification of being part of particular VSD-group is :

interface <interface_name>:<VSD_Group number>

When an interface does not have an associated VSD_Group number, it is considered as a part of VSD-group 0 or not part of any VSDgroup, if VSD-group 0 is unset.
So, you need to create a VSI to bind the interface to a VSD group
3. Set the routes:

set vrouter trust-vr route 0.0.0.0/0 interface ethernet1/2:1 gateway 210.1.1.250

set vrouter trust-vr route 0.0.0.0/0 interface ethernet1/2:2 gateway 210.1.1.250
save
Note: For another configuration example of Active/Active, refer to Chapter 2 of the following technical documentation:
Concepts & Examples ScreenOS Reference Guide -- Volume 11: High Availability
Chapter 2 - Look for Configuration Examples
ScreenOS 5.4 - Volume 11 - High Availability
ScreenOS 6.0 - Volume 11 - High Availability

Notes, KBs, and references

The total number of sessions divided between the two devices in an Active/Active configuration cannot exceed the capacity of a
single security device (otherwise, in the case of a failover, the excess sessions might be lost).

Useful KB reference: KB7840 - How to determine cluster is in Active/Active setup

Useful KB reference: KB5807 - Which devices support Active/Active in transparent mode.
There are design considerations in configuring Active/Active configurations. Juniper recommends contactingJuniper Networks
Professional Services to assist with the design. For more information, refer to Juniper Networks Customer Services.

PURPOSE:
Troubleshooting