No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Without configuring the vrrp id when usg5320 VRRP dispensing the nat server address lead to the access exception.

Publication Date:  2012-10-15 Views:  5 Downloads:  0
Issue Description
Two usg5320 as VRRP, dispensing a intranet ip address to the public network, access the dispensing address in the extranet. And the service sometimes works, but sometimes does not work. The configuration is as follows:
master:
#
nat address-group 0 211.137.171.123 211.137.171.123 vrrp 3
nat server 0 global 211.137.171.89 inside 192.168.1.3
nat server 1 global 211.137.171.90 inside 192.168.2.2
#
interface GigabitEthernet0/0/0
ip address 211.137.171.121 255.255.255.0
vrrp vrid 3 virtual-ip 211.137.171.123 255.255.255.0 master
vrrp virtual-mac enable
link-group 1
slave:
#
nat address-group 0 211.137.171.123 211.137.171.123 vrrp 3
nat server 0 global 211.137.171.89 inside 192.168.1.3
nat server 1 global 211.137.171.90 inside 192.168.2..2                         
interface GigabitEthernet0/0/0
ip address 211.137.171.124 255.255.255.128
vrrp vrid 3 virtual-ip 211.137.171.123 255.255.255.0 slave
vrrp virtual-mac enable
link-group 1
Alarm Information
none
Handling Process
1、the customer make the full mapping, ping the dispensing address successfully.
2、Tracert dispensing address:
     C:\Documents and Settings\Administrator.LENOVO-B66F6293>tracert 211.137.171.89
Tracing route to 211.137.171.89 over a maximum of 30 hops
  1     *        *        *     Request timed out.
  2     1 ms     1 ms     1 ms  218.17.167.129
  3     *        *        *     Request timed out.
14   174 ms   174 ms   176 ms  211.103.87.66
15   175 ms   176 ms   174 ms  211.137.172.164
16   177 ms   179 ms   178 ms  211.137.172.114
17   176 ms   174 ms   176 ms  211.137.171.124
18     *      184 ms   177 ms  211.137.171.89
19   179 ms   175 ms   177 ms  211.137.171.89

Find that message is not response by the master address, but the slave, lead to service access once, find the problem exception source.
3、check the configuration, find that address dispensing configuration do not have VRRP id, reconfiguring dispensing address after add VRRP id, the master response, service access normal.
The configuration after modify.
nat server 0 global 211.137.171.89 inside 192.168.1.3 vrrp 3
nat server 1 global 211.137.171.90 inside 192.168.2.2 vrrp 3
Root Cause
1、The network problem
2、the configuration problem
Suggestions
In the VRRP network environment, when configure nat server or nay address pool, do not add VRRP id can lead to usg5300 upstream device arp learning error. Because when usg5300 interface is up, will send free ARP with NAT server address the global address and the NAT address pool address in the same network segment of local interface address. If do not configure VRRP id, what the free ARP carried in the interface is the actual MAC address, upstream device will learn to the master and slave usg5300 interface MAC address, leading to ARP entry wrong. If configure VRRP parameter, free arp carried VRRP virtual MAC address, the ARP entry upstream device learned is correct.

END