Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer
 Support Center > Search Results > SecureKnowledge Details
Support Center
 Print    Email
What is VRRP Monitored Circuits

Solution ID: sk38524
Product: Security Gateway, IPSO
Version: All
Date Created: 14-Apr-2009
Last Modified: 18-Jul-2012
Rate this document
[1=Worst,5=Best]
Solution

A VRRP Monitored Circuit (VRRP MC) configuration will allow a Nokia Appliance to release its priority over all VRRP MC configured interfaces in the event that one of the interfaces fails or becomes unreachable.The backup Nokia Appliance firewall would then assume priority of all VRRP MC configured interfaces.This means that all network traffic both from the external network as well as from the internal network will traverse the backup firewall/router.

The VRRP MC configuration eliminates a potential asymmetric routing condition which could occur in a VRRP version 2 (VRRPv2) configuration if a single interface failed rather then the entire firewall/router.Hosts configured with a default route to a VRRPmc IP address will now have the entire network connection passing through the secondary firewall rather than passing through the primary firewall in one direction and coming back through the secondary firewall.

The need to eliminate asymmetric routing is due to the limitations of FireWall-1's synchronization feature, which prevent the secondary firewall from accepting all types of network connections that were allowed by the primary firewall.

 

A Summary of Differences Between VRRP v2 and Monitored Circuits

VRRP v2

  • Backup of router addresses (must be real IP addresses) use as a default gateway for hosts
  • Requires use of a routing protocol (OSPF) to recover from single interface failure
  • Cannot track other interface's (Whether up or down), this can cause a small chance of asymmetric routing to occur
  • Does not support Virtual addresses that can be use as virtual gateways or NAT devices
  • Cannot be use for HA state synchronization with Check Point NG/NGX because virtual addresses (to configure Gateway cluster object) are not supported

 

VRRP "Monitored circuit"


  • Uses virtual (Not real address) IP addresses to backup NAT devices or create virtual gateways for hosts
  • Does not require the use of an additional dynamic routing protocols like OSPF to forward traffic in a failover event
  • Can monitor multiple interfaces (whether up or down) and force complete failovers to prevent an asymmetric routing to occur

To migrate from VRRP v2 to VRRP Monitored Circuits, see sk41167.

 

VRRP MC Configuration

In a Monitored Circuit configuration, you need a virtual IP on each network segment that requires high-availability. This means you need at least 3 IP addresses on each network the firewalls are attached to, one for each firewall plus an extra IP. This extra IP address, referred to as the "backup IP" in the Voyager VRRP configuration page, is what your routers and hosts will know as their next hop (or default gateway).


Virtual IP (VIP), also known as Backup IP:
External: 205.226.10.1
Internal: 192.168.2.1
DMZ: 192.168.3.1

In a properly configured VRRP-MC configuration, the failure of a single interface on firewall-A will cause all the backup IPs to fail over to firewall-B. All traffic will be routed through firewall-B without needing to go through firewall-A at all. OSPF is not needed to maintain coherency because asymmetric routing should not occur as it can with VRRP v2.

 

How to Set up Monitored Circuits

VRID (Virtual Router IDs)

Using Voyager, go to the VRRP configuration page on firewall-A. Using the above example, we would want to configure the External, Internal, and DMZ interface for VRRP. On each of the interfaces, select "Monitored Circuits" and click apply. For each interface, you will be asked to create a virtual router. For each interface, specify a virtual router ID number (VRID) between 1 and 255. You can use the last octet of the VIP on each network segment. In this example, that would be .1. Enter 1 as the VRID for each instance of VRRP.

Once you have specified a virtual router ID for each interface, click on Apply. You will then be presented with a variety of options for each virtual router ID, which are described below.


Priority

A number from 1 (lowest) to 254 (highest). Default is 100. Priority is a numeric value; the higher the value, the higher the priority. If the configured priorities of two backup routers is equal, and in the rare event that both backup routers become masters at the same time (both equal hardware platforms booting up at the same time), their IP addresses are used as a tiebreaker (higher IP address wins).

In most cases, when both boxes are set at equal priorities, the first box to start announcing itself as master will remain master until the event of failover. Once a failed router recovers, it will always reclaim responsibility for forwarding traffic sent to its own addresses. But the failed router would assume responsibility for traffic sent to virtual addresses that are not its real interface addresses only if its priority is higher than the priority of the current master.

You have two choices on how you can set this up:


  • Established Master
  • Equivalent Priority

One would want an established Master if one Nokia IP Security Platform has more capacity than the other. For example, the master might be an IP530 where the backup is an IP330. On the other hand, if both platforms are the same, then setting up VRRP with equivalent priorities would result in less VRRP transitions. If the current master was to be taken off-line and then restored, when it came back on-line, it would not take the VRID back from the other platform, which became the new master.

In either case, at least one platform should use 254 for the priority for this will result in the fastest fail-over transition time. See sk39676 for the question, "How much time does it take for a VRRP transition?".


Hello Interval

This is how frequently the system will send out VRRP Hello messages. This should be the same on both boxes. The default (if not specified) is 1 second.

 

Backup Address (only in VRRP MC)

Often referred to as the Virtual IP (VIP). This is the address that is being "failed over" between the two boxes. This VIP must not otherwise be associated with an interface on either box. This will be the IP address your client machines/routers will use for routing.

 

Monitor Interface and Priority Delta

Each instance of VRRP running on a supported interface may monitor the link state of other interfaces. The monitored interfaces do not have to be running VRRP. If a monitored interface loses its link state, then VRRP will decrement its priority over a VRID by the specified delta value and then will send out a new VRRP HELLO packet. If the new effective priority is less than the priority a backup platform has, then the backup platform will beging to send out its own HELLO packet. Once the master sees this packet with a priority greater than its own, then it releases the VIP.

 

Authentication

You can require a plaintext password for any VRRP packets received about this virtual router ID. Independent of any authentication type, VRRP includes a mechanism (setting TTL=255, checking on receipt) that protects against remote networks injecting VRRP packets. This limits vulnerability to local attacks.

 

Auto-Deactivation

This feature enables an VRRP master to never become a master again once it is demoted to a backup state with an effective priority of 0. There are two conditions necessary to enable this feature. First, this attribute must be enabled. Then, in order for the conditions to be satisfied, the (Base Priority - Delta) must equal 0. This feature allows for the effective priority to be 0, otherwise the minimum effective priority would be limited to 1.

 

Cold Start Delay

If you configure a system to be the VRRP master (by setting its priority higher than the other systems participating in the virtual router), it becomes master again immediately after a reboot. This causes problems if you are using FireWall-1 because the system becomes master again before the FireWall-1 synchronization process has finished. You can prevent these problems by setting a coldstart delay (in seconds). After the system reboots, it does not activate VRRP and become master until this number of seconds has elapsed. This gives FireWall-1 time to synchronize completely.

The following are some general guidelines for Coldstart Delay. The delays may need to be increased in situations where there are more than 25,000 connections.


  • IP650: 180 seconds
  • IP440: 240 seconds
  • IP120/330: 300 seconds
  • Other Platforms: 120 seconds

 

Accept Connections to VRRP IPs

This feature was introduced to allow for the IPSO Platform to provide high-availability for other applications. If one could establish network session to a VIP, then it doesn't matter which physical platform is the master of the VIP. A backup would be waiting to take over for the master and the services would still be available.

 

A Sample VRRP Monitored Circuit Configuration using Established Master

firewall-A

 

eth-s1p1c0 (External)205.226.10.2/24
Virtual Router:1

Priority:254

Hello Interval:1

Backup IP: 205.226.10.1

Monitor Interfaces:

eth-s1p2c0 Priority Delta: 2

eth-s1p3c0 Priority Delta: 2
eth-s1p2c0 (Internal)192.168.2.2/24
Virtual Router:1

Priority:254

Hello Interval:1

Backup IP: 192.168.2.1

Monitor Interfaces:

eth-s1p1c0 Priority Delta: 2

eth-s1p3c0 Priority Delta: 2
eth-s1p3c0 (DMZ) 192.168.3.2/24
Virtual Router:1

Priority:254

Hello Interval:1

Backup IP: 192.168.3.1

Monitor Interfaces:

eth-s1p1c0 Priority Delta: 2

eth-s1p2c0 Priority Delta: 2
eth-s1p4c0 (Sync) 192.168.4.2/24

 

firewall-B

 

eth-s1p1c0 (External) 205.226.10.3/24

 
Virtual Router:1

Priority:253


Hello Interval:1


Backup IP: 205.226.10.1


Monitor Interfaces:


eth-s1p2c0 Priority Delta: 2


eth-s1p3c0 Priority Delta: 2
eth-s1p2c0 (Internal)192.168.2.3/24
Virtual Router:1

Priority:253

Hello Interval:1

Backup IP: 192.168.2.1

Monitor Interfaces:

eth-s1p1c0 Priority Delta: 2

eth-s1p3c0 Priority Delta: 2
eth-s1p3c0 (DMZ) 192.168.3.3/24

 
Virtual Router:1

Priority:253

Hello Interval:1

Backup IP: 192.168.3.1

Monitor Interfaces:

eth-s1p1c0 Priority Delta: 2

eth-s1p2c0 Priority Delta: 2
eth-s1p4c0 (Sync) 192.168.4.3/24

 

A Sample VRRP Monitored Circuit Configuration using Equal Priorities

The configuration is identical to the above configuration except firewall-B has a priority of 254.

 

Configuration Notes

  1. The Hello Interval, priority deltas, and authentication should be the same on all virtual routers.
  2. The priority on firewall-B (254) may be numerically lower than firewall-A's priority (254) if you wish to setup firewall-A as the Established master. In this case, firewall-A's delta values must be large enough to create an effective priority that is less than firewall-B's priority.
  3. The priority deltas on all the interfaces should be the same on all systems. This means if a single interface fails on the primary, the effective priority will fall to 252. This will cause the backup (with a priority of 254) to take over since it will now have a higher priority.
  4. The backup IPs VIPs are what will be used in the routing configuration for clients and other routers.
  5. Double Check to make sure the firewall is allowing VRRP packets out of its interfaces. Refer to sk40224.

 

What Happens When Everything's OK

The master will send out VRRP Hello messages every interval. Since firewall-A will broadcast the highest priority for each VRID, all the VIP addresses will be served by firewall-A.

 

What Happens with firewall-A Fails

Let's say that firewall-A is taken off-line. firewall-B will stop seeing VRRP HELLO packets from firewall-A and wait 3 intervals to be sure. firewall-B will then add the VIPs to its interfaces and start sending out HELLO packets. All network traffic will now go through firewall-b and all network services configured in FW-1 to be synchronized will be accepted. Once firewall-A returns to an operational state, firewall-A will take back the VIPs if it is the established master. Otherwise, it will enter the VRRP backup state.

 

Let's say instead of firewall-A suffering a catastrophic failure, a single interface on firewall-A goes bad on the External LAN.

  1. firewall-B will stop seeing VRRP HELLO packets from firewall-A on the External LAN and wait 3 intervals to be sure.
  2. firewall-B will then add the VIPs to its interfaces and start sending out HELLO packets.
  3. VRRP MC running firewall-A's other interfaces react to the loss of eth-s1p1c0 by lowering the effective priority by the delta value.
  4. firewall-A now starts sending out HELLO packets with a new priority.
  5. firewall-B sees these new packets with a priority less than its own and begins adding the VIPs to its DMZ and Internal interfaces. You should see "Duplicate IP Address" error messages on the console of both platforms
  6. firewall-B is now sending out HELLO packets which firewall-A sees and as a result it deletes the VIPs from its DMZ and Internal network intefaces.
  7. The duplicate IP address error messages stops.

 

All of this will happen within the space of approximately 3-5 seconds with an interval of 1.


Imported from Nokia support database
Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000