A interconnect problem under USG5300 and huawei exchange two-node cluster environment

Publication Date:  2012-11-06 Views:  139 Downloads:  0
Issue Description
USG5300 and huawei switch use the classical square two-node cluster networking:
Huawei switch------------- Huawei switch
         |                                  |
         |                                  |
Problem: huawei switches and USG5300 adopt VRRP agreement for two-node cluster networking, but huawei exchange can't ping the VRRP virtual MAC of USG5300, and other ping tests are normal.
Alarm Information
Handling Process
1, check the configuration and network, they are normal
2, check the ARP learning situation, found that the huawei exchange failed to learn the USG5300’s VRRP virtual MAC
3, Capture packets and analysis in the ARP learning process, compare it with ARP response message, found that the ARP response message’s source MAC is not consistent with the message’s internal response MAC. ARP response message’s source MAC is firewall’s real MAC, message’s internal response MAC is VRRP virtual MAC.
4, through the further communicate and confirm, some huawei exchanges will do consistency check to ARP inside and outside layer MAC, if doesn’t through the checking, it won’t learn the ARP entry.
5, find the VRRP characteristic of USG5300 related handbook, found “vrrp virtual-mac enable” can support the scene. Command is used to start the fuction that the USG5300 uses virtual MAC address, uses virtual MAC address correspond with the actual IP address of the interface. By default, close the virtual MAC address function.
6, “vrrp virtual-mac enable” cannot backup between master-slave equipments, so the master and slave equipments all need to configure the command.
7, the network returned to normal after opened the command
Root Cause
Analysis it may have the following reasons:
1, packet filtering and other configuration problems
2, IP conflict problem
3, can one-way ping pass, namely physical link should be no problem, there is a ARP learning process before ping packet, need to further position which link does the problem occurs.
Through this case, we can draw some problem analysis methods, mainly includes the following links:
Configuration check -- - > hypothesis data flow process analysis -- - > location problem link - - > capture packets method -- - > contrast analysis