Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring NSRP to Detect Interface and Zone Failure

 

You can configure NSRP to detect interface and zone failures on a device or VSD group. When one or more monitored objects on a device or VSD group fail, the primary device in the cluster or VSD group can fail over to the backup device or VSD group.

To control when the device or VSD group fails over, you configure the device to monitor specific objects.

Note

Each vsys cluster device can see all VSDs in the cluster, even VSDs that the Vsys cluster device does not use. This means that you could configure a vsys cluster device to monitor a VSD group that the device does not use. If this monitored VSD group failed, the vsys cluster device that does use that VSD group would failover—not the vsys cluster device that was configured to monitor the VSD group.

For each device or VSD group, you can monitor:

  • Specific target IP addresses—The device sends ping or ARP requests to up to 16 specified IP addresses at specified intervals and then monitors responses from the targets. All the IP addresses configured on the device or for a specified VSD group constitute a single monitored object.

  • Physical interfaces—The device uses NSRP to check that the physical ports are active and connected to other devices.

  • Zones—The device uses NSRP to check that all physical ports in a zone are active.

For each monitored object, you must configure a threshold, which is the total weight of failed monitored objects required to cause the device or VSD group to step down as master. If the cumulative weight of the failures of all monitored objects exceeds the monitored object failure threshold and the monitor threshold, then the device or VSD group fails over to the backup device or VSD group. You can set the monitored object failover threshold to a value from 1 to 255. The default threshold is 255.

You must also configure a failure weight, which is the weight that the failure of the monitored object contributes towards the device or VSD group failover threshold, which is known as the monitor threshold. You can set the object failure weight at a value from 1 to 255. The default failure weight for monitored objects is 255. If you want to monitor an object but do not want the failure of the object to affect failover of the device or VSD group, set the failure weight of the object to 0 (all failures are logged, even if the failure weight of the object is 0).

Configuring Track IPs

For tracked IP addresses, you specify individual IP addresses, how they are to be monitored, what constitutes the failure of each tracked IP address (the threshold), and the weight that each failed address carries. When IP tracking is enabled, the device sends a request on the selected interface to target IP addresses at specified intervals, and then monitors the targets for responses. If the device does not receive a response from a target for a specified number of times, the device considers that IP address to be unreachable. You configure the threshold (the number of acceptable consecutive response failures) for each IP address within the IP Option dialog box. The default threshold for each IP address is 3; acceptable values are from 1 to 200.

If the device does not receive a response from a specified number of targets, the device can deactivate routes associated with the selected interface. This threshold, known as the failure threshold, is the sum of the weights of all failed tracked IP addresses required for the tracked IP object to be considered failed. You configure the interface threshold (the total weight of the cumulative failed attempts) in the Track IP tab. The default is 1; acceptable values are from 1 to 255. A failure to reach any configured tracked IP address causes routes associated with the interface to be deactivated.

For each interface, you can configure up to four IP addresses to track. The tracked IP addresses do not have to be in the same subnetwork as the interface. On devices running ScreenOS 6.3, track IPs supports IPv6.

Note

A single device can track 64 IP addresses. This total includes all track IP addresses for interface-based IP tracking and for NSRP-based IP tracking at the root level and vsys level.

Configuring Interface Monitoring

The device uses NSRP to check that the physical ports are active and connected to other network devices. When the port is inactive, the device considers the interface failed.

The process for adding an interface to monitor is as follows:

  • Edit the cluster by selecting and editing its members.

  • Select Monitoring > Whole Box Monitoring.

  • Use the Monitor Interface tab to select all the interfaces that need to be monitored and assign a weight to each interface in the device or VSD group to indicate the importance of that interface. The higher the weight, the faster the failover threshold is met. For example, if the untrust interface is more important than the management interface, assign the untrust interface a higher weight than the management interface.

For example, when using two VSD groups (VSD 1 and VSD 2) configured on two devices (device A and device B), if a port on a master device in a VSD group fails, you can configure VSD 1 to fail over from the primary VSD group on device A to the backup VSD group on device B. VSD 2 remains active on device A.

Configuring Zone Monitoring

The device uses NSRP to check that all physical ports in a zone are active and connected to other network devices. When all ports within the zone are inactive, the device considers the zone failed.

You can assign a weight to each zone in the device or VSD group to indicate the importance of that zone. The higher the weight, the faster the failover threshold is met. For example, if the DMZ zone is more important than the trust zone, assign the DMZ zone a higher weight than the trust zone.

All interfaces bound to the monitored zone must fail before the device considers the zone down. Specifically:

  • If a monitored zone has multiple interfaces, but only one interface in the zone is active, the device considers the zone active.

  • If a monitored zone has a single interface bound to it and that interface fails, the device considers the zone failed.

  • If a monitored zone has no interfaces bound to it, the zone cannot fail.

  • If you unbind a downed interface from a zone that contains only that interface, the device no longer considers the zone failed. Similarly, if you unbind an active interface from a monitored zone where the remaining interfaces are down, the device considers the zone failed.

Configuring Monitor Threshold

The monitor threshold is the failure threshold for the device or VSD group. All failure weights for all monitored objects in the device or VSD group contribute to the monitor threshold when a failure occurs; if the total sum of these failure weights meets or exceeds the monitor threshold, the device or VSD group fails over.

Alternatively, even if all IP addresses, interfaces, and the zone fail in the device or VSD group, if the sum of their failure weights does not meet or exceed the monitor threshold, the device or VSD group does not fail over to the backup VSD group. To ensure that the device or VSD group fails over at the appropriate time, configure the failure weights of each monitored object in relation to the monitor threshold.