The configuration on the active and standby firewalls were the same, but the following message was displayed during configuration saving:
HRP NOTICE: Some local vrrp standbies configed as slave don't accord with vrrp standbies configed as master on peer device!
The message on the standby firewall was:
HRP NOTICE: Some local vrrp standbies configed as master don't accord with vrrp standbies configed as slave on peer device!
1. The debugging vrrp-group all command was executed on the standby firewall. The output indicated that the outside interface of the standby firewall received the VGMP hello packet sent from the interface.
2009-07-21 14:28:37 AHHF-PS-MMS02-FW02 %%01VGMP/8/DebugPacket(d):
Virtual Router Management Group SLAVE: receiving from 18.104.22.168, message type HELLO mode ACK priority = 65000
2. The standby firewall (22.214.171.124) was pinged from the active firewall.
PING 126.96.36.199: 56 data bytes, press CTRL+C to break
Reply from 188.8.131.52: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 184.108.40.206: bytes=56 Sequence=1 ttl=255 time=17 ms (DUP!)
Reply from 220.127.116.11: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 18.104.22.168: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 22.214.171.124: bytes=56 Sequence=4 ttl=255 time=1 ms
Reply from 126.96.36.199: bytes=56 Sequence=5 ttl=255 time=1 ms
--- 188.8.131.52 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/3/17 ms
The debugging output indicated that the standby firewall received the VGMP packet sent by it, and therefore the error message was displayed. The standby firewall parsed the received VGMP hello packet to obtain the number of VGMP members and compared the number with that stored locally. Because the state of the standby device is slave, the number of members in master state is 0. The numbers did not match. Therefore, a message was displayed indicating that the configurations on the active and standby firewalls are different.
3. The ping result (TTL of 255) indicated that a Layer 2 loop occurred.
In hot standby deployment, VGMP hello packets are sent through heartbeat interfaces. If a VGMP hello packet is lost, the firewall floods the hello packets out of all interfaces of VRRP group members until the firewall receives a response. During configuration saving, the CPU is busy writing data to flash and the VGMP hello packets may not be processed during this period. The firewall does not receive any response within a specified period. As a result, the firewall considers the heartbeat packet lost and floods the hello packet out of all VRRP group member interfaces. The service ports also send VGMP hello packets. When a Layer 2 loop occurs on the service ports, the packets sent out of the ports are sent back to them and the error message mentioned previously is displayed.
The Layer 2 loop occurred because the Eth-Trunk was configured on the outside interface of the USG but not on the switches. As a result, the packets were sent back to the firewalls.
When Eth-Trunk is configured on the firewalls, you must also configure Eth-Trunk on the devices connected to the firewalls.