No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

VRRP configuration error detected in USG6300

Publication Date:  2015-06-25 Views:  174 Downloads:  0
Issue Description

A customer found there were lots of VRRP configuration errors detected in USG6300.

%2015-05-26 23:34:46 PER1-FLX-FWL-01 %%01VRRP/3/CONFIGERROR(l): System detected a VRRP config error of VIRTUAL IP ADDRESS ERROR, Interface: Eth-Trunk1.22, VRRP Backup Group: 22!

%2015-05-26 23:34:46 PER1-FLX-FWL-01 %%01VRRP/3/CONFIGERROR(l): System detected a VRRP config error of VIRTUAL IP ADDRESS ERROR, Interface: Eth-Trunk1.30, VRRP Backup Group: 30!

%2015-05-26 23:34:46 PER1-FLX-FWL-01 %%01VRRP/3/CONFIGERROR(l): System detected a VRRP config error of VIRTUAL IP ADDRESS ERROR, Interface: Eth-Trunk1.86, VRRP Backup Group: 86!

From the output of the command “display logbuffer”, and found the all the logs are the above logs, which are abnormal.

This is the topology:

 

Alarm Information
None
Handling Process

(1)    Since there were 3 vrid that reported this error, we took vrid 22 to investigate.

Check the configuration of the master and slave firewall:

Master firewall:

interface Eth-Trunk1.22

 vlan-type dot1q 2122

 description to PER1-FLX-SWI-01_client#3_downlink

 ip binding vpn-instance vpn_per_c003

 ip address 10.156.22.3 255.255.255.240

 vrrp vrid 22 virtual-ip 10.156.22.2 active

 service-manage ping permit

Slave firewall:

#

interface Eth-Trunk1.22

 vlan-type dot1q 2122

 description to PER1-FLX-SWI-01_client#3_downlink

 ip binding vpn-instance vpn_per_c003

 ip address 10.156.22.4 255.255.255.240

 vrrp vrid 22 virtual-ip 10.156.22.2 standby

 service-manage ping permit

#

Compare with other vrid which had no problem, and nothing different.

 

(2)    Since in the other end is CE6800, do some troubleshooting on CE6800.

From the output of command “display arp track”, found that CE6800 receive the MAC 0000-5e00-0116  of  IP 10.156.22.2 in both interface Eth-trunk1 and Eth-trunk8.  It seems that there is loop in the network.

(3)    Checked the configuration of Eth-trunk1 and Eth-turnk8, and found that STP is disabled.

#    

interface Eth-Trunk1

 description To PER1-FLX-FWL-01_G1/0/1_Pub DMZ_Internet_uplink

 port link-type trunk

 port trunk allow-pass vlan 250 2010 2022 2026 2111 2114 2119 2122 2128 2130

 port trunk allow-pass vlan 2180 2186

 stp disable

 mode lacp-static

#

interface Eth-Trunk8

 description to PER1-FLX-FWL-03_G1/0/8_downlink

 port link-type trunk

 port trunk allow-pass vlan 250 2022 2026 2114 2122 2130 2186

 stp disable

#

 

Confirmed with the customer, when they designed this network, they were sure that there was no loop. If so, why did CE6800 received the same MAC from two interfaces?

(4)    Check the MAC address “0000-5e00-0116”, and found that was the MAC of “vrrp vrid 22 virtual-ip 10.156.22.2”. From the topology, we can see there were another two firewall  USG6500 in the bottom. Ask the customer to check the configuration of the firewall USG6500 if there is same VRID 22. As we know, in the same network, if the vrid id is same, then the Mac address will be same. The answer is as expected, there is a vrrp group in USG6500 having the same vrid 22.

Root Cause

In the same network, there are two vrrp group having the same vrid. In this situation, they have same MAC address, that is why CE6800 received the same MAC from both Eth-trunk1 and Eth-trunk8. And USG6300 will detect another vrid in the network, so it typed the logs ” %2015-05-26 23:34:46 PER1-FLX-FWL-01 %%01VRRP/3/CONFIGERROR(l): System detected a VRRP config error of VIRTUAL IP ADDRESS ERROR, Interface: Eth-Trunk1.22, VRRP Backup Group: 22!

Solution

1.     Change the vrid number in USG6500 to another value that is different from USG6300.

Suggestions

In the same network, if there are many VRRP groups in different device, make sure that the vrip number is different.

END