When VRRP Master member initializes after reboot, both members consider themselves to be the VRRP Master and traffic flow through this VRRP cluster stops when members are connected via Cisco switches

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk39324
Technical Level
Product	Cluster - 3rd party
Version	All
OS	Gaia, IPSO 4.x, IPSO 6.2
Platform / Model	All
Date Created	14-Apr-2009
Last Modified	14-May-2014

Symptoms

Given two IP Series appliances, setup in a very basic VRRP configuration with a single external connection, one internal connection and state sync between the two IP Series appliance through a Cisco switch.

The external and internal ports are connected to a Cisco Catalyst 5000 switch running the latest firmware revision. The ports are set to 100BaseT/full duplex (no auto negotiation). 'Port Fast' is enabled on Cisco switch.
If a cable is unplugged, correct fail-over takes place in VRRP cluster.
If a warm boot is performed on the VRRP Master member from the console or Voyager, correct fail-over takes place in VRRP cluster.
If a cold start is performed on the VRRP Master member, fail-over takes place. Once the former VRRP Master powered back on and initializes, both members consider themselves to be the VRRP Master and traffic flow through the cluster stops. It was also noticed that a substantial amount of state sync traffic occurs when a cold start is performed.

Solution

Spanning Tree Protocol

Disable Spanning Tree Protocol (STP) on the switch ports, where VRRP is running, if at all possible. On many switches, you can only disable STP across the entire switch and not on a port-by-port basis. Please be careful that this will not introduce a bridging loop on other ports.

What we discovered in testing is that the STP affects the VRRP negotiation. For a very short period of time, the switch will see the same VRRP 'VMAC' address being broadcast from two ports. The switch identifies this as a "loop". Loops and Layer2 networks are not compatible, so the switch will disable both ports to kill the loop. Then, it will bring the ports back on line, only to see the same condition once again. Under these circumstances, it can take as long as 15 minutes to fail back to the primary firewall.

If Spanning Tree cannot be disabled on the switch ports, you can enable 'PortFast' Mode, which speeds up the Spanning Tree algorithm on the ports.

Note: By default, PortFast Mode is disabled. This can leave switch ports listening (not transmitting) for approximately 30 seconds, when a switch port fails over. This is Spanning Tree's mechanism to prevent bridging loops.

The syntax for turning on Portfast mode is:

config# set spantree portfast 3/1-2 enable

Where 3/1-2 refers to slot 3 ports 1 and 2.

Disable Trunking

Trunking provides the ability to run multiple VLANs across a single physical link. There are two recognized trunking protocols in the industry:

802.1q (IEEE)
ISL (Cisco proprietary)

Cisco switches support this protocol on certain Ethernet blades. It is normally used to connect routers and switches together in an effort to save physical cabling and interfaces (with one link, a router can look like it has 5 or 10 different interfaces in a different VLAN). Cisco switch blades that support trunking by default are set to "auto-detect" trunking at link activation. This 'auto-detect' is what appears to have been disrupting the connection between the Nokia IP Appliances and the switch. The connection problem was resolved by disabling trunking on the Ethernet interfaces connecting the Nokia IP Appliances.

Turn off port list

With Catalyst switches, it is recommended you disable the "port list" feature with the following command:

config# set port channel "port list" off

This will allow port convergence time low enough for VRRP to work, without sending ICMP Destination Unreachable packets.

VRRP Flapping

Nokia has seen a problem with a Cisco box sending out a broadcast to learn routes on the VRRP_MCAST address (224.0.0.18). This causes VRRP to get into an unstable state. You can run the following command:

config# set port channel [port#] mode desirable silent

Where [port#]is the port number on the switch the firewall is plugged into. This command stops the machine from sending multicasts for the purpose of "channelizing" during its bootup.

Some interfaces in VRRP master, some in backup

Ensure your Catalyst switch has the latest firmware and that port fast is enabled, as described above.

Imported from Nokia support database

This solution is about products that are no longer supported and it will not be updated

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating