NSRP

From Network Security Wiki
Jump to navigation Jump to search


Basics

Non-Propagating NSRP config components

Feature Commands
NSRP set/unset nsrp cluster id number

set/unset nsrp auth password pswd_str
set/unset nsrp encrypt password pswd_str
set/unset nsrp monitor interface interface
set/unset nsrp vsd-group id id_num { mode string | preempt | priority number }

Interface set/unset interface interface manage-ip ip_addr

set/unset interface interface phy ...
set/unset interface interface bandwidth number
set/unset interface redundant number phy primary interface
All commands pertaining to local interfaces

Monitored Objects All IP tracking, zone monitoring, and interface monitoring commands
Console Settings All console commands (set/unset console ...)
Hostname set/unset hostname name_str
SNMP set/unset snmp name name_str
Virtual Router set/unset vrouter name_str router-id ip_addr
Clear All clear commands (clear admin, clear dhcp, ...)
Debug All debug commands (debug alarm, debug arp, ...)
Gateway tracking set/unset vrouter name_str route ip_addr gateway ip_addr



What is a VSD-less NSRP cluster?

  • If Active/Passive firewall is running a Dynamic Routing Protocol, a NSRP VSD-less cluster can be configured.
  • VSD-less NSRP clusters separate the failover component of NSRP from session synchronization.
  • VSD-less NSRP clusters use individual unique interfaces, and will be able to establish adjacencies individually.
  • This avoids the problem of re-establishing adjacencies when a failover may occur.


What is HA Probe?

Source: juniper.net

  • The HA link probe is a function used for determining the health of a HA link.
  • By default, the physical state of the HA link is used to determine whether heartbeats should be sent and expected on the link.
  • When the physical state of the first HA link goes down, NSRP control messages will begin to exchange on the second HA link.
  • This assumes that the firewalls are connected back to back, which is not always the case.
  • If there is an intermediate switching layer, sometimes the physical links can remain up, but heartbeats cannot be received.
  • In this scenario, by default, both devices will attempt to become the master (split brain), and connectivity problems will likely result.
  • To address this, the HA link probe adds a logical connectivity test to the HA links so that if such a failure occurs, heartbeat messages first failover to the second HA link.
  • Configure the HA probe feature ONLY IF the HA links are connected through a layer 2 switch.


What is Secondary path?

Source: juniper.net

  • Secondary path is essentially a third NSRP HA link to be used to elect a VSD-Group master if for some reason both dedicated HA links were to fail.
  • The secondary path is different from the standard HA interfaces in that only Hello packets are sent on the secondary path to elect a master
  • It is meant to prevent split brain and nothing more.
  • It uses a forwarding interface so it is recommended that message authentication and encryption be performed, as messages will travel over a shared interface.
  • You must perform auth and encrypt settings on each device.
  • The secondary path itself is a forwarding interface which is the failsafe in cases where all HA links are down.
  • The secondary path is not used for synchronization of RTOs, however, and is invoked only after multiple failovers.
  • When invoked, a master is elected, and no RTOs are synchronized until an HA link is restored.
What are various NSRP states?

Source: juniper.net

For all the above state Transitions, NSRP Hello Message is used.

UNDEFINED
  • This occurs when the remote nsrp peer is not configured with corresponding VSD-Group or when the local device cannot successfully obtain remote peer's vsd status via HA link.
INIT
  • This occurs when the Device has just boot-up and has sent the NSRP Hello thru the HA Link to identify any devices exist for the VSD-Group.
  • This should be a very short period.
  • It will transition to different state (starting with Backup) after the timer is expired.
BACKUP
  • In this state the unit checks if there are other devices in the VSD-Group and check their states, if other devices are in Master or Primary Backup, it will stay in this state, else Election Process will occur.
PB (Primary Backup)
  • After the Election Process, the device will become Primary Backup, if another device exist as MASTER for the VSD-Group.
MASTER
  • After the Election Process based on the Priority & Preempt, the device will become MASTER if no other device is MASTER for the VSD-Group.
  • This is the only state when the unit will be in Active State and Traffic will be passed thru the firewall.
  • In all other states the unit will stay inactive.
INELIGIBLE
  • This is a state when an Administrator forces the device to not participate in the Election Process and stay inactive for the VSD-Group.
  • The command to put in this state is "exec nsrp vsd-group <id_no> mode ineligible"
INOPERABLE
  • This is a state when one of the monitoring object for the VSD-Group has failed, the monitoring object can be Track-ip, Interface or Zone.
  • This state will prevent the device to participate in the Election Process and the device will stay inactive.


Active-Backup

  • NSRP Active/Backup configuration should be done prefereably using VSD-Group 0; otherwise manually add interfaces to the other VSD-Group.
  • What is Split Brain? How to resolve it?

When firewalls running NSRP lose connectivity to each other, both firewalls may become the Master of the same VSD Group at the same time. This condition is known as split-brain. Split brain is a highly undesirable condition as it may cause intermittent or complete outage of traffic flow. To resolve the split brain issue, you must ensure that at least one HA link connection is restored, which will allow the exchange of NSRP hello messages or heartbeats.

Steps to prevent split brain:

Configure NSRP with 2 dedicated HA links. 
Configure the HA probe feature ONLY IF the HA links are connected through a layer 2 switch. 
Configure a secondary path, which is essentially a third NSRP HA link to be used to elect a VSD-Group master if for some reason both dedicated HA links were to fail. 
  • What is No Brain scenario? How to resolve it?

If NSRP monitoring is enabled, it may be possible for both NSRP peers to become 'Inoperable' (eg. a target “track-ip” host is shutdown and becomes unreachable by both NSRP peers, or possibly a shared switch to a DMZ zone fails causing interface tracking to trip on both NSRP peers). In that event, all traffic required to cross the cluster would be impacted even though it may only be a portion of the network that is unreachable. Enabling the master-always-exist option will ensure that the cluster remains available and traffic to flow.

set nsrp vsd-group master-always-exist

Active-Active

Basics

Benefits:

Load sharing
Routing flexibility

Pitfalls:

Complex to design
Data path forwarding may affect performance
No dynamic route synchronization

Note:

Total number of sessions are divided between two firewalls in an Active/Active configuration and cannot exceed 
the capacity of a single security device (otherwise, during failover, the excess sessions will be lost).
  • Steps to configure Active-Active NSRP:[1]
1. unset vsd-group 0
2. Create vsd-group 1 & 2 in the cluster
3. Enabling tracking methods like interface monitoring and path monitoring
4. Set the VSI's, by default, all the interfaces are a part of VSD-group 0, so create a VSI to bind the interface to a VSD group
5. Set the routes
  • How Active-Active NSRP works:[1]
   Paste.png     This section is under construction.

Troubleshooting

  • Command to check NSRP Sync Config only:
get config global
  • Track-IP in NSRP requires manage ips in untrust too from the same subnet. Instead of 1 public ip you need 3 public IPs.
  • 2 sets of HA clusters of ScreenOS Firewalls, Same Interfaces used in both sets, Same Cluster ID used will generate same Virtual MAC. So Packet delivery will fail in same LAN.
  • Forcing a Device from Master to Backup Device in NSRP:

If the preempt option is enabled:

exec nsrp vsd-group 0 mode ineligible

If the preempt option is not enabled:

exec nsrp vsd-group 0 mode backup
  • To change the state of the firewall from ineligible to backup (or to make the firewall eligible to be backup):
exec nsrp vsd-group 0 mode backup
  • Use of the NSRP HA Probe command when the firewall HA links are directly connected can cause the NSRP cluster to appear as if the HA connection is flapping. Source: juniper.net
  • How do you tell if the firewall VSD is in the ineligible state?

Source: juniper.net 'get nsrp' output reports 'myself (ineligible)' when the VSD is ineligible.
If the firewall prompt has a (I), it means the firewall is in the Inoperable state.

ssg550(B)-> get nsrp  <---note that firewall prompt is not (I)
nsrp version: 2.0

cluster info:
cluster id: 1, no name
local unit id: 10923520   <---note local unit ID of this firewall
active units discovered:
index: 0, unit id:  10923520, ctrl mac: 00121ea6ae07, data mac: 00121ea6ae07
index: 1, unit id:   8345472, ctrl mac: 0005857f5787, data mac: 0005857f5787
total number of units: 2
(snip)
group priority preempt holddown inelig   master       PB other members
    0      100 no             3 no      8345472     none myself(ineligible)  <-------
total number of vsd groups: 1


Lab

Active-Active NSRP Setup

Step 1
Cluster and VSD Groups config:

Device A:

set nsrp cluster id 1
unset nsrp vsd-group id 0
set nsrp vsd-group id 1 priority 1
set nsrp vsd-group id 1 preempt hold-down 10
set nsrp vsd-group id 1 preempt
set nsrp vsd-group id 2
set nsrp vsd-group id 1
set nsrp monitor int eth1/2
set nsrp monitor int eth2/1
set nsrp rto-mirror sync
save

Device B:

set nsrp cluster id 1
unset nsrp vsd-group id 0
set nsrp vsd-group id 2 priority 1
set nsrp vsd-group id 2 preempt hold-down 10
set nsrp vsd-group id 2 preempt
set nsrp vsd-group id 1
set nsrp monitor int eth1/2
set nsrp monitor int eth2/1
set nsrp secondary-path ethernet2/1
set nsrp rto-mirror sync
save

Both firewalls are in a cluster now, all subsequent commands need to be run on Active device only.

Step 2
VSI Config (Virtual Security Interfaces):
set int ethernet1/2 zone untrust
set int ethernet1/2:1 ip 20.1.1.1/24
set int ethernet1/2:2 ip 20.1.1.2/24
set int ethernet2/1 zone trust
set int ethernet2/1:1 ip 10.1.1.1/24
set int ethernet2/1:2 ip 10.1.1.2/24

By default, all the interfaces are a part of VSD-group 0. We need to create a VSI to bind the interface to a VSD group.

Step 3
Set the routes:
   Question.png     This section needs verification or testing!
set vrouter trust-vr route 0.0.0.0/0 interface ethernet1/2:1 gateway 20.1.1.254
set vrouter trust-vr route 0.0.0.0/0 interface ethernet1/2:2 gateway 20.1.1.254
save

Active-Backup NSRP Setup

   Paste.png     This section is under construction.

References

  1. 1.0 1.1 www.hcltech.com


blog comments powered by Disqus