A Message Was Displayed Indicating Inconsistent Configuration on Active and Standby Firewalls During Configuration Saving Because Eth-Trunk Was Configured on Firewalls But Not on the Switches

Publication Date:  2015-07-02 Views:  741 Downloads:  0
Issue Description
The configuration on the active and standby firewalls were the same, but the following message was displayed during configuration saving:

HRP NOTICE: Some local vrrp standbies configed as slave don't accord with vrrp standbies configed as master on peer device!

The message on the standby firewall was:

HRP NOTICE: Some local vrrp standbies configed as master don't accord with vrrp standbies configed as slave on peer device!
Handling Process
1. The debugging vrrp-group all command was executed on the standby firewall. The output indicated that the outside interface of the standby firewall received the VGMP hello packet sent from the interface.

2009-07-21 14:28:37 AHHF-PS-MMS02-FW02 %%01VGMP/8/DebugPacket(d): 
Virtual Router Management Group SLAVE: receiving from 81.130.119.147, message type HELLO mode ACK priority = 65000


2. The standby firewall (81.130.119.147) was pinged from the active firewall.

HRP_M[AHHF-PS-MMS02-FW01]ping 81.130.119.147
14:51:22  2009/07/21
  PING 81.130.119.147: 56  data bytes, press CTRL+C to break
    Reply from 81.130.119.147: bytes=56 Sequence=1 ttl=255 time=1 ms
    Reply from 81.130.119.147: bytes=56 Sequence=1 ttl=255 time=17 ms (DUP!)
    Reply from 81.130.119.147: bytes=56 Sequence=2 ttl=255 time=1 ms
    Reply from 81.130.119.147: bytes=56 Sequence=3 ttl=255 time=1 ms
    Reply from 81.130.119.147: bytes=56 Sequence=4 ttl=255 time=1 ms
    Reply from 81.130.119.147: bytes=56 Sequence=5 ttl=255 time=1 ms

  --- 81.130.119.147 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    1 duplicates
    0.00% packet loss
    round-trip min/avg/max = 1/3/17 ms


The debugging output indicated that the standby firewall received the VGMP packet sent by it, and therefore the error message was displayed. The standby firewall parsed the received VGMP hello packet to obtain the number of VGMP members and compared the number with that stored locally. Because the state of the standby device is slave, the number of members in master state is 0. The numbers did not match. Therefore, a message was displayed indicating that the configurations on the active and standby firewalls are different.

3. The ping result (TTL of 255) indicated that a Layer 2 loop occurred.
Root Cause
In hot standby deployment, VGMP hello packets are sent through heartbeat interfaces. If a VGMP hello packet is lost, the firewall floods the hello packets out of all interfaces of VRRP group members until the firewall receives a response. During configuration saving, the CPU is busy writing data to flash and the VGMP hello packets may not be processed during this period. The firewall does not receive any response within a specified period. As a result, the firewall considers the heartbeat packet lost and floods the hello packet out of all VRRP group member interfaces. The service ports also send VGMP hello packets. When a Layer 2 loop occurs on the service ports, the packets sent out of the ports are sent back to them and the error message mentioned previously is displayed.

The Layer 2 loop occurred because the Eth-Trunk was configured on the outside interface of the USG but not on the switches. As a result, the packets were sent back to the firewalls.
Suggestions
When Eth-Trunk is configured on the firewalls, you must also configure Eth-Trunk on the devices connected to the firewalls.

END