[KB12558] Show KB Properties |
[KB12558] Hide KB Properties |
Categories: | * Firewalls ISG/NS/SSG Series *ScreenOS |
| Knowledge Base ID: | KB12558 |
Last Updated: | 11 Aug 2010 |
Version: | 2.0 |
This article describes the various options to cause an NSRP firewall cluster tomanually fail over from one device to another.
Problem or Goal:
The first option is to use the command exec nsrp vsd-group <group ID number> mode backup. This command must be entered onthe current Master firewall. It will force the Master to become Backup which in turn forces the Backup to become Master. To restore the previous Master to that state once more repeat the process byentering the same command on the new master.
In this case make sure that the original Master device does not have NSRP preempt enabled, otherwise it will become Master again automatically, if theNSRP priority is lower (=better) than the NSRP priority on the other device.
cluster:nsisg2000(M)-> exec nsrp vsd-group 0 mode backup
Start deactivate session (vsd=0) ...7 sessions deactivated
A second possibility is to make the NSRP Master firewall temporarily ineligible to be in the cluster. When this is done, the other device willautomatically take over as Master.
Essentially this isolates the firewall from the cluster keeping it manageable but not able to pass traffic. The command is as follows:cluster:nsisg2000(M)-> exec nsrp vsd-group <group ID> mode ineligible
To bring the device back into the cluster the firewall will need to be re-initialized using this command:
cluster:nsisg2000(I)-> execnsrp vsd-group <group ID> mode init
There is a third possibility, similar to the second example. In situations where the firewall is monitoring an IP address through Track-IP or monitoring...