• How many cluster members are supported in VRRP cluster?

  • VRRP cluster on Gaia OS - only 2 members
  • VRRP cluster on IPSO OS - from 2 to 5 members

  
  
  
• How many VRRP interfaces are supported in VRRP cluster on Gaia OS?

  When VRRP cluster is configured per sk92061 - How to configure VRRP on Gaia (i.e., the "ClusterXL" is enabled in the cluster object for State Synchronization), a maximum of 127 VRRP interfaces are supported.

  This because the same cluster member must be the VRRP Master for all virtual routers (VRIDs) to avoid an Active/Active scenario.
  A maximum of one VRID with one VIP address per interface is supported.
  And each VRID must be configured to monitor every other VRRP-enabled interface along with priority deltas that facilitate complete failover to the VRRP Backup cluster member.

  With a maximum priority of 254 and minimum priority delta of 2 per monitored interface, the maximum number of interfaces possible is 127.

  
  
  
• Does VRRP cluster on Gaia OS support Active/Active environments?

  • When VRRP cluster is configured per sk92061 - How to configure VRRP on Gaia (i.e., the "ClusterXL" is enabled in the cluster object for State Synchronization), only Active/Passive environments are supported.

    This allows only one VRID with one VIP address per interface.
    The same cluster member must be the VRRP Master for all VRIDs configured to avoid an Active/Active scenario.
    As such, each VRID must be configured to monitor every other VRRP-enabled interface along with priority deltas that facilitate complete failover to the VRRP Backup cluster member.

  • When VRRP cluster is not configured per sk92061 - How to configure VRRP on Gaia (i.e., the "ClusterXL" is disabled in the cluster object), Active/Active environments can be deployed.

    The maximum qualified number of cluster members is two.
    Each cluster member can be the VRRP Master for one of two VRIDs on an interface at the same time.
    Only Static Routes are supported with this configuration.
    Important Note: "Monitor Firewall State" must be disabled with this configuration.

  
  
  
• What is the RFC number for VRRP v2, and where can I get a copy?

  VRRP v2 is defined in RFC 2338.
  This is an excerpt from this RFC:

  This memo defines the Virtual Router Redundancy Protocol (VRRP). VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling the IP address(es) associated with a virtual router is called the Master, and forwards packets sent to these IP addresses. The election process provides dynamic fail over in the forwarding responsibility should the Master become unavailable. This allows any of the virtual router IP addresses on the LAN to be used as the default first hop router by end-hosts. The advantage gained from using VRRP is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end-host.

  
  
  
• Does RFC 2338 cover VRRP Monitored Circuit?

  VRRP Monitored Circuit (VRRP MC) was created to enhance the performance of VRRP.
  It eliminates asymmetric routes by enabling VRRP running on each network interface to monitor the state of any other network interface.
  VRRP MC is specific to IPSO.

  
  
  
• Where can I find more detailed configuration information for VRRP?

  • For VRRP cluster on Gaia OS:

    Refer to:

    • R77 versions Gaia Administration Guide - Chapter "High Availability"
    • sk92061 - How to configure VRRP on Gaia
    • sk105170 - Configuration requirements / considerations and limitations for VRRP cluster on Gaia OS
    • sk98226 - Dynamic Routing and VRRP Features on Gaia OS
    • sk98371 - MCVR Enhancement for VRRP Simplified Mode on Gaia OS

  • For VRRP cluster on IPSO OS:

    Refer to:

    • Network Voyager Reference Guide for IPSO 6.2 - Chapter 4 "High Availability Solutions"
    • Command Line Interface Reference Guide for IPSO 6.2 - Chapter 4 "High Availability Commands"

  For additional information, refer to Check Point Support Center.

  
  
  
• In summary, which VRRP should one use?

  The best performance comes with VRRP Monitored Circuit (VRRP MC).

  The only reasons one should consider VRRP v2, are:

  • either it is necessary to establish VRRP between Check Point Security Gateway running IPSO OS and a platform from another vendor
  • or there are no extra IP address to use for VRRP MC

  
  
  
• How much time does it take for a VRRP transition?

  Section 6.1.2 in the RFC 2338 (VRRP v2) states the following:

  Master_Down_IntervalTime interval for Backup to declare Master down (seconds). Calculated as:

  (3 * Advertisement_Interval) + Skew_time

  Skew_Time: Time to skew Master_Down_Interval in seconds. Calculated as:

  ( (256 - Priority) / 256 )

  This means that the greater the priority, then the smaller the skew_time, which results in a faster transition.
  Therefore, using a priority of 254 will result in faster transition times.

  The next question would be to ask, "Why is it designed this way?".
  In VRRP v2, the master always has a priority of 255. A backup may have a priority =< 254.
  If there was a power failure and both platforms rebooted, this gives the master the edge in reclaiming its position in the VRRP hierarchy.

  Typically, failover occurs between 3-4 seconds, using default values.

  
  
  
• I am testing VRRP Monitored Circuit (VRRP MC) by pulling an interface, but the other interfaces do not let go of their IP addresses!

  Chances are that the effective priority of the "disabled" platform is still greater than the effective priority of the backup platform.
  Use Network Voyager to look at the VRRP Monitor Page to verify this.
  The priority delta should be configured in such a way that the system will drop to backup, if only one interface is down on the master.

  
  
  
• Are there any problems with the use of VRRP on switched networks?

  Refer to sk40656 - IPSO VRRP interoperability concerns with switches.

  
  
  
• Can VRRP be used to backup a physical interface connected to a LAN with another physical interface connected to the same LAN?
  In other words, can we use eth-s1p2 to backup eth-s1p1 on the same LAN?

  The VRRP protocol does not support having 2 logical interfaces in the same broadcast domain.
  Use Link Redundancy or Link Aggregation to achieve this.

  
  
  
• Can I change the Multicast IP address that VRRP uses from 224.0.0.18 to something else?

  No.
  224.0.0.18 is the defined Multicast address for VRRP and cannot be changed.

  
  
  
• What is the purpose of the Cold Start Delay?

  The Cold Start Delay was introduced to solve one particular problem: the IP Series platform running IPSO OS was able to become a VRRP Master before Check Point FireWall could fully start. In a Active/Passive VRRP configuration, where one platform was the established VRRP Master, this situation is likely to occur when the VRRP Master is rebooted. As soon as it is able, the VRRP Master would take back the VRRP IP addresses. This would result in established sessions being dropped by the VRRP Master because its state tables did not have the necessary entries.

  Enabling the Cold Start delay, enabled Check Point FireWall to startup and synchronize with the other cluster member before a VRRP transition would cause all sessions to route through the VRRP Master.

  
  
  
• Must I setup an established VRRP Master?

  An established VRRP Master is the cluster member configured with a priority that is greater than the priority of the VRRP Backup(s).
  A good reason for this configuration is when the VRRP Master is a more robust platform than the VRRP Backup platform.
  However, if the two cluster members are identical, either one can be the VRRP Master.
  Then, the VIP priorities can be the same on each platform. It will usually be the first cluster member, which comes online.

  
  
  
• Could there be a problem associated with equivalent priorities between two cluster members?

  It is possible, though improbable, that during a simultaneous reboot of VRRP cluster members, one cluster member becomes the VRRP Master for the external VIP address and the other cluster member becomes the VRRP Master of the internal VIP address.

  There is a tie-breaking algorithm used in situations like this to prevent this very occurrence.
  Should both VRRP cluster members see VRRP "HELLO" packets from each other at the same time, the cluster member with the numerically greater IP address becomes the VRRP Master.
  For this reason, it would be wise for all interfaces on one cluster member to be numerically greater than the interfaces on the peer cluster member.
  For example, Member_A should be the X.X.X.2 host and Member_B should be the X.X.X.1 host on all connected interfaces.

  
  
  
• What is the "cphaprob state" output in a VRRP cluster?

  ClusterXL runs in Sync-only mode and both cluster members are considered "Active". Output of the "cphaprob state" command would look like this:

  HostName[admin]# cphaprob state
  
  Cluster Mode:   Sync only (OPSEC) with IGMP Membership
  
  Number     Unique Address  Firewall State (*)
  1 (local)  11.11.11.34     Active
  2          11.11.11.35     Active
  
  (*) FW-1 monitors only the sync operation and the security policy. Use OPSEC's monitoring tool to get the cluster status.
  

  
  
  
• Where do I observe VRRP Master / Backup state?

  VRRP Master / Backup state can be observed either in OS WebUI, or OS CLI.

  Operating System	Where?	How?
  VRRP cluster on Gaia OS	Gaia Portal	Go to the "High Availability" section - click on the "VRRP" page - in the upper right corner, click on the "Monitoring" tab.
  	Gaia Clish	show vrrp show vrrp interface <Interface_Name> show vrrp interfaces show vrrp stats show vrrp summary
  	Documentation	R77 versions Gaia Administration Guide - Chapter "High Availability" sk92061 - How to configure VRRP on Gaia
  VRRP cluster on IPSO OS	IPSO Network Voyager	Expand the "Configuration" - expand the "High Availability" - click on the "VRRP" page - click on the "VRRP Monitor".
  	IPSO Clish	show vrrp show vrrp interface <Interface_Name> show vrrp interfaces show vrrp stats show vrrp summary show mcvr ...
  	Documentation	Network Voyager Reference Guide for IPSO 6.2 - Chapter 4 "High Availability Solutions" - section "Monitoring VRRP" Command Line Interface Reference Guide for IPSO 6.2 - Chapter 4 "High Availability Commands"

  Examples from IPSO Clish:

  IPSO> show vrrp
  
  VRRP State
      VRRP Router State: Up
      Flags: On,MonitorFirewall
      Interface enabled: 2
      Virtual routers configured: 2
          In Init state 0
          In Backup state 0
          In Master state 2
  
  
  IPSO> show vrrp interfaces
  
  VRRP Interfaces
  Interface eth1
      Number of virtual routers: 1
      Flags: MonitoredCircuitMode
      Authentication: NoAuthentication
      VRID 1
              State:                    Master               Time since transition:    8725
              BasePriority:             100                  Effective Priority:       100
              Master transitions:       1                    Flags:
              Advertisement interval:   1                    Router Dead Interval:     3
              VMAC Mode:                VRRP                 VMAC:                     00:00:5e:00:01:01
          Primary address: 1.1.1.34
          Next advertisement:
          Number of Addresses: 1
              1.1.1.36
          Monitored circuits
              eth2 (priority 10)
  
  Interface eth2
      Number of virtual routers: 1
      Flags: MonitoredCircuitMode
      Authentication: NoAuthentication
      VRID 2
              State:                    Master               Time since transition:    8725
              BasePriority:             100                  Effective Priority:       100
              Master transitions:       1                    Flags:
              Advertisement interval:   1                    Router Dead Interval:     3
              VMAC Mode:                VRRP                 VMAC:                     00:00:5e:00:01:02
          Primary address: 2.2.2.34
          Next advertisement:
          Number of Addresses: 1
              2.2.2.36
          Monitored circuits
  eth1 (priority 10)
  

Related Solutions:

• sk105170 - Configuration requirements / considerations and limitations for VRRP cluster on Gaia OS
• sk92061 - How to configure VRRP on Gaia
• sk98226 - Dynamic Routing and VRRP Features on Gaia OS
• sk98371 - MCVR Enhancement for VRRP Simplified Mode on Gaia OS
• sk45028 - VRRP errors explained
• sk40618 - Legacy VRRP versus Simplified VRRP configuration on IPSO OS