No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Communication issue caused in VRRP scenario

Publication Date:  2018-02-10 Views:  186 Downloads:  0
Issue Description

Customer is contacting us because he is having a communication issue between the two sites, from HQ to Branch office.

Topology below:



Our devices are the sw-royrobson-1 and sw-royrobson-2. The ICMP packets work from sw-royrobson-1 to sw-royrobson-2, the issue is from firewall cluster to firewall cluster where ICMP does not work. The cluster work in VRRP Active/standby.

Device and version: S5720 V200R010C00SPC600

Patch: V200R010SPH008

Handling Process

We did traffic statistics from outbound of XGE0/0/1 of sw-royrobson-2 to inbound of XGE0/0/1 of sw-royrobson-1.

[sw-royrobson-1]acl 3001

[sw-royrobson-1-acl-adv-3001]rule 5 permit icmp source x.x.y.1 0 destination x.x.y.2 0

[sw-royrobson-1-acl-adv-3001]rule 10 permit icmp source x.x.y.2 0 destination x.x.y.1 0

[sw-royrobson-1]traffic classifier c1

[sw-royrobson-1-classifier-c1] if-match acl 3001

[sw-royrobson-1]traffic behavior b1

[sw-royrobson-1-behavior-b1]statistic enable

[sw-royrobson-1]traffic policy p1

[sw-royrobson-1-trafficpolicy-p1]classifier c1 behavior b1

[sw-royrobson-1-XGigabitEthernet0/0/1]traffic-policy p1 in

[sw-royrobson-1]disp traffic policy statistics interface XGigabitEthernet 0/0/1 inbound

Interface: XGigabitEthernet0/0/1

 Traffic policy inbound: p1

 Rule number: 1

 Current status: success

 Statistics interval: 300

---------------------------------------------------------------------

 Board : 0

---------------------------------------------------------------------

 Matched          |      Packets:                            21

                  |      Bytes:                               -

                  |      Rate(pps):                           0

                  |      Rate(bps):                           -

---------------------------------------------------------------------

   Passed         |      Packets:                            21

                  |      Bytes:                               -

                  |      Rate(pps):                           0

                  |      Rate(bps):                           -

---------------------------------------------------------------------

   Dropped        |      Packets:                             0

                  |      Bytes:                               -

                  |      Rate(pps):                           0

                  |      Rate(bps):                           -

---------------------------------------------------------------------

     Filter       |      Packets:                             0

                  |      Bytes:                               -

---------------------------------------------------------------------

     Car          |      Packets:                             0

                  |      Bytes:                               -

 

From the packet statistics we can see that our switches are receiving the ICMP requests but we are not yet sure why the communication between sites is not working.

We then searched for the virtual mac of the firewall on site 2 on roy1:

 

[sw-royrobson-1]disp mac-address | i 0000-5e00-0136

-------------------------------------------------------------------------------

MAC Address    VLAN/VSI                          Learned-From        Type

-------------------------------------------------------------------------------

0000-5e00-0136 339/-                             XGE0/0/1            dynamic

 

-------------------------------------------------------------------------------

Total items displayed = 3918

 

[sw-royrobson-1]disp mac-address | i 0000-5e00-0136

-------------------------------------------------------------------------------

MAC Address    VLAN/VSI                          Learned-From        Type

-------------------------------------------------------------------------------

0000-5e00-0136 339/-                             GE0/0/2             dynamic

 

-------------------------------------------------------------------------------


Root Cause

We noticed that the same mac-address 0000-5e00-0136 was learned on uplink and downlink. That meant that either a loop was on the network or both sites had same virtual mac configured. We did not see any loop on our device so we asked customer to check the VRRP configuration of the firewalls and assure that the cluster ID is not the same. This configuration would cause both virtual macs to be the same.


Solution

Reconfigure the Watchguard firewalls vrrp with different cluster ID.


Suggestions

After the virtual IP address of the VRRP group is specified, the device generates a virtual MAC address based on the VRID. The format of the MAC address is 00-00-5E-00-01-{ virtual-router-ID }. Each virtual-router-ID corresponds to one virtual MAC address only.

Make sure you configure different vrrp vrid on each site as to not encounter the issue presented above.


END