No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Eudemon300 VRRP as configured to many acl rules lead to the primary/secondary switch abnormally.

Publication Date:  2012-09-25 Views:  42 Downloads:  0
Issue Description
Phenomenon description: in two E300 VRRP networking, when add and delete acl rules, it is too slow about configuring and submitting become effective and lead to the primary/secondary switch abnormally.
When delete acl rules, primary/secondary switch abnormally. Related log information is as follows:
2009-11-16 11:30:53 E300-1 %%01SHELL/5/CMD(l): task:vt0 ip:10.191.126.231 user:XXX vrf:public command:undo rule 4001
2009-11-16 11:30:59 E300-1 %%01VGMP/5/StateChange(l):
Virtual Router Management Group1 :  MASTER --> SLAVE
2009-11-16 11:30:59 E300-1 %%01VRRP/5/StateChange(l):
GigabitEthernet2/0/1 | Virtual Router 50 :  MASTER --> BACKUP
2009-11-16 11:30:59 E300-1 %%01VRRP/5/StateChange(l):
Ethernet1/0/0 | Virtual Router 30 :  MASTER --> BACKUP
2009-11-16 11:30:59 E300-1 %%01VRRP/5/StateChange(l):
Ethernet1/0/1 | Virtual Router 20 :  MASTER --> BACKUP
2009-11-16 11:30:59 E300-1 %%01VRRP/5/StateChange(l):
GigabitEthernet2/0/0 | Virtual Router 40 :  MASTER --> BACKUP
2009-11-16 11:30:59 E300-1 %%01VGMP/5/StateChange(l):
Virtual Router Management Group1 :  SLAVE                                  
2009-11-16 11:30:59 E300-1 %%01VRRP/5/StateChange(l):
  CONFIGMASTER --> CONFIGSLAVE
Alarm Information
none
Handling Process
By collecting the firewall related information find that, the derect reason of primary/secondary switch at Firewall is caused by the reduction of main firewall priority:
HRP_M[E300-1-hidecmd]display firewall vgmp-timer
vrrp-group 1 current timer: HELLO
2009-11-16 11:30:59 HRP HELLO timer expired!
2009-11-16 11:30:59 vrrp-group 1 state change: 5 -> 2
2009-11-16 11:30:59 VGMP receive packet: Type: 2, Mode: 1, Priority: 100, GroupID: 1
2009-11-16 11:30:59 vrrp-group 1 state change: 3 -> 5
2009-11-16 11:30:59 VGMP send packet: Type: 2, Mode: 0, Priority: 105, GroupID: 1
2009-11-16 11:30:59 vrrp-group 1 state change: 4 -> 3
2009-11-16 11:30:59 VGMP receive packet: Type: 1, Mode: 1, Priority: 100, GroupID: 1
2009-11-16 11:30:59 VGMP send packet: Type: 1, Mode: 0, Priority: 99, GroupID: 1
2009-11-16 11:30:59 vrrp-group 1 state change: 2 -> 4
Through the firewall log and alarm information, eliminate the possibility that physical port happen up and down to firewall abnormal switching. Judgment should be the IP – link problem. Check the configuration find firewall configure a large number of acl rules (reached more than 3000), because the acl rule matching is in according to a specific order to match. In this case modify rules firewall will to the rules to acquire the table (code), recount and sorting and consume CPU performance. But IP - link mechanism is to send icmp packet destination address be detected, within the prescribed time response means the link is normal. The icmp packet is detection by CPU processing, so when encode rules in the firewall due to the consumption of the CPU performance which affect the CPU ability dealing with IP - link detection packet. Caused the IP - link state changed, and reduced the main firewall priority. Lead to the primary/secondary switch abnormally. By the test, after delete IP - link configuration, then configure acl rule again, the firewall primary/secondary switching don't happen. So prove the above deducibility.
Root Cause
The root reason of primary/secondary switch at Firewall must be caused by the reduction of main firewall priority. Analysis combined with live network, the may reason lead to reduced the priority is as follows:
1, in the configuration process, main firewall port appeared up, down, leading to the primary/secondary switch.
2, in live network the IP - link, IP - link status configured is down lead to the primary/secondary switch.
Suggestions
none

END