Network description: EUDEMON300 firewall version is V200R006C02B066, VRRP hybrid mode network, all the up and down is Layer 2 channel, service VLAN need transparent transmission in interconnection interface of six devices, slave do not forward, service access from S6503, and use VLAN to divide service, configure Layer 3 VLAN interface on the NE40 and VRRP using the active/standby mode to protect service security. Normally the device pass from the maseter, and the slave do not send flow to outside, when the interconnection link is broken, flow switch to slave, and slave firewall begin to work.
Fault phenomenon: some service is unusual, the lower client host cannot PING the gateway of NE40.
1, configure service address in the S6503, simulate client PING gateway of NE40, but can not PING pass.
2, check the configuration of NE40 and S6503, the corresponding interface all configured the service VLAN transparent transmission.
3, check the interface flow of S6503, find the slave firewall interconnection interface received flow, and the flow rate reach to thousands packets per second, explain salver firewall start forwarding, need to check whether the firewall is normal.
4, login E300 firewall to check the master, and find the state is normal, all remain the original state and do not change, also do not appear two masters state.
5, check the slave firewall configuration and find although this service VLAN configured transparent transmission on the downlink or uplink port, but do not configure set VGMP under the VLAN. After configure set VGMP, the service become normal.
1. Configuration problem
2. Networking or device mechanism problem
The VRRP Firewall is in Layer 2 networking mode, firewall vlan forwarding state is according to the binding VGMP state to decide whether the vlan is need forward or not, if VGMP state is standby, all the message vlan interface received will be discarded, if it is active, vlan interface will normally forward message. at this time it has nothing with whether slave firewall configured composite-HRP permit-backupforward (allow slave forwarding service function).
So the vlan under firewall service must configure set VGMP, if do not have this configuration, the networking will form a Layer 2 loop.