USG2260双机热备配置后主备不断切换问题

发布时间:  2015-08-03 浏览次数:  222 下载次数:  0
问题描述

某项目网络采用两台USG2260启用双机热备,拓扑图如下:


22260都是采用板卡SU2DFG16S40016GERJ45+4GESPFmixed interface card with HW general security platform software)上光口建立双机热备,可是,不断的主备切换;我们分别尝试用光口和电口互联,都是时通时断的;提示的命令如下:

2015-06-20 17:19:57 AAEB_USG2260_01 %%01PHY/4/STATUSUP(l): GigabitEthernet5/0/18 changed status to up.
2015-06-20 17:19:58 AAEB_USG2260_01 %%01IFNET/4/IF_STATE(l): Interface Eth-Trunk1 has turned into UP state.
2015-06-20 17:19:58 AAEB_USG2260_01 %%01IFNET/4/IF_STATE(l): Interface Vlanif52 has turned into UP state.
2015-06-20 17:19:58 AAEB_USG2260_01 %%01IFNET/4/LINK_STATE(l): Line protocol on interface Vlanif52 has turned into UP state.
2015-06-20 17:20:15 AAEB_USG2260_01 %%01PHY/4/STATUSDOWN(l): GigabitEthernet5/0/18 changed status to down.
2015-06-20 17:20:15 AAEB_USG2260_01 %%01PHY/4/SFPLOW(l): GigabitEthernet5/0/18 The possible cause is: the input power was below the lower threshold.
2015-06-20 17:20:16 AAEB_USG2260_01 %%01IFNET/4/IF_STATE(l): Interface Eth-Trunk1 has turned into DOWN state.
2015-06-20 17:20:16 AAEB_USG2260_01 %%01IFNET/4/IF_STATE(l): Interface Vlanif52 has turned into DOWN state.
2015-06-20 17:20:16 AAEB_USG2260_01 %%01IFNET/4/LINK_STATE(l): Line protocol on interface Vlanif52 has turned into DOWN state.
2015-06-20 17:20:16 AAEB_USG2260_01 %%01VGMP/4/STATE(l): Virtual Router Management Group MASTER :  MASTER --> MASTER_TO_SLAVE

处理过程

1. 检查光纤和光模块都是没有问题的,用到别的设备上面都工作正常;

2. 时钟的信号采集正常,同步工作;

3. 环回口的测试正常;

4. 与其它设备的固定正常网口相连都没有问题,就是板卡之间连接的网口有问题;

采集接口信息:

display interface GigabitEthernet 5/0/19
20:16:16  2015/06/26
GigabitEthernet5/0/19 current state : UP  
Line protocol current state : UP
Description : Huawei, USG2200 Series, GigabitEthernet5/0/19 Interface, Lan Switch Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Eth-Trunk number: 1
Media type is optical fiber, loopback is not set, promiscuous mode not set
1000Mb/s-speed mode, Full-duplex mode, link type is auto negotiation
flow control is disable
Optical Transceiver Module is set
VendorName:FINISAR CORP.  
Compliance:1000BASE-SX
PartNumber:FTLF8519P3BTLHW1
SN:NRQ2LH3        
Mode:Unknown or unspecified
Connector:LC
LaserwaveLen:850nm
Length for 50/125um:500m
Rate:2100Mb/s
Current SFP module Tx power(<8.129dBm): -4.99 dBm
Tx power Threshold:
Low Warn Threshold: -9.50 dBm
High Warn Threshold: 0.00 dBm
Low Alarm Threshold: -12.50 dBm
High Alarm Threshold: 0.00 dBm
Current SFP module Rx power(<8.129dBm): -25.37 dBm
Rx power Threshold:
Low Warn Threshold: -16.98 dBm
High Warn Threshold: 0.00 dBm
Low Alarm Threshold: -16.98 dBm
High Alarm Threshold: 0.00 dBm
   Last 300 seconds input rate 3808 bits/s, 3 packets/s
   Last 300 seconds output rate 8200 bits/s, 5 packets/s
   Input: 2235751 packets, 269406836 bytes
          1563 broadcasts, 8816 multicasts
          0 errors, 0 runts, 0 giants, 0 FCS
          0 length error, 0 code error, 0 align errors
   Output:2682264 packets, 366819742 bytes
          1739 broadcasts, 30168 multicasts
          0 errors, 0 collisions, 0 late collisions
          0 ex. collisions, 0 FCS error
          0 deferred, 0 runts, 0 giants
环回口测试信息:

test loopback interface 5 0 18 mac 100 100 10

16:01:08  2015/07/10

 Packet send size : 100

 Packet receive size : 100

 Packet send number : 100

 Packet send error number : 0

 Packet receive number : 100

 Packet receive right : 100

 Packet receive wrong : 0

 Delay time (s) : 20

 LOOPBACK TEST OK

配置检查:

USG2260配置来看,都是配置二层eth-trunk后,基于eth-trunkvlanif作为HRP的心跳接口,且相应的vlan下配置了hrp track master/slave。但是vlan下配置hrp track master/slave是为了刷新上下行设备的MAC表项,检查接口状态,一但有接口down掉,会造成联动的主备切换。USG2260上所设置的vlanif都是作为心跳接口使用,将主备机vlan下的hrp track master/slave配置删除,降低接口检测的灵敏度,保证主备工作正常。

vlan 52

hrp track master //删除

建议与总结
对于三层接口必须配置VRRP,主备切换后新主防火墙会发送VRRP Hello报文,更新上下行二层设备的MAC转发表;同时也会发送三次免费ARP报文更新上下行三层设备的ARP表项。对于二层接口必须在相应的vlan视图下配置hrp track,主备切换后新的备机会自动shutdown/undo shutdown配置了hrp trackvlan下所有接口,使上下行二层设备MAC表项失效,重新学习。

END