华为防火墙USG6330配置双机热备导致VRRP不抢占问题

发布时间:  2015-09-16 浏览次数:  721 下载次数:  11
问题描述

1. USG6330版本为:V100R001C20SPC700


2.组网拓扑图如下:

                                   组网拓扑图

 

3. FW配置如下:
#
interface GigabitEthernet1/0/0
link-group 1
ip address 192.168.200.1 255.255.255.0
vrrp vrid 1 virtual-ip X.X.X.X X.X.X.X active
service-manage https permit
service-manage ping permit
service-manage ssh permit
#
interface GigabitEthernet1/0/1
link-group 1
ip address 192.168.201.1 255.255.255.0  
vrrp vrid 2 virtual-ip X.X.X.X X.X.X.X active
service-manage https permit
service-manage ping permit
service-manage ssh permit
#
interface GigabitEthernet1/0/2
link-group 1
ip address 10.238.38.17 255.255.255.240
vrrp vrid 3 virtual-ip 10.238.38.20 active
service-manage https permit
service-manage ping permit
service-manage ssh permit
#
interface GigabitEthernet1/0/5
ip address 192.168.100.1 255.255.255.0
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
#
hrp enable
undo hrp ospfv3-cost adjust-enable
hrp standby config enable
hrp interface GigabitEthernet1/0/5
#
ip-link check enable
ip-link 1 destination X.X.X.X mode icmp
hrp track ip-link 1 active
ip-link 2 destination X.X.X.X mode icmp
hrp track ip-link 2 active
#

4. FW配置如下:

#
interface GigabitEthernet1/0/0
link-group 1
ip address 192.168.200.2 255.255.255.0
vrrp vrid 1 virtual-ip X.X.X.X X.X.X.X standby
service-manage https permit
service-manage ping permit
service-manage ssh permit
#
interface GigabitEthernet1/0/1
link-group 1
ip address 192.168.201.2 255.255.255.0
vrrp vrid 2 virtual-ip X.X.X.X X.X.X.X standby
service-manage https permit
service-manage ping permit              
service-manage ssh permit
#
interface GigabitEthernet1/0/2
link-group 1
ip address 10.238.38.18 255.255.255.240
vrrp vrid 3 virtual-ip 10.238.38.20 standby
service-manage https permit
service-manage ping permit
service-manage ssh permit
#
interface GigabitEthernet1/0/5
ip address 192.168.100.2 255.255.255.0
service-manage ping permit
service-manage ssh permit
service-manage telnet permit
#
hrp enable
undo hrp ospfv3-cost adjust-enable
hrp standby-device
hrp interface GigabitEthernet1/0/5
#

 

5. 把主FW的外网接口DOWN掉时的双机状态如下:


HRP_S<internet-firewall>display hrp state
The firewall's config state is: STANDBY

Backup channel usage: 0.01%
Time elapsed after the last switchover: 0 days, 0 hours, 26 minutes
Current state of virtual routers configured as active:
             GigabitEthernet1/0/2    vrid   3 : standby
             GigabitEthernet1/0/1    vrid   2 : standby
             GigabitEthernet1/0/0    vrid   1 : standby

HRP_S<internet-firewall>display vrrp
  GigabitEthernet1/0/2 | Virtual Router 3
    VRRP Group : Active
    State : Standby
    Virtual IP : 10.238.38.20
    Virtual MAC : 0000-5e00-0103
    Primary IP : 10.238.38.17
    Priority Run : 120
    Priority Config : 100
    Active Priority : 120
    Preempt : YES   Delay Time : 0
    Advertisement Timer : 1
    Auth Type : NONE
    Check TTL : YES

  GigabitEthernet1/0/1 | Virtual Router 2
    VRRP Group : Active
    State : Standby
    Virtual IP : X.X.X.X
    Virtual MAC : 0000-5e00-0102
    Primary IP : 192.168.201.1
    Priority Run : 120
    Priority Config : 100
    Active Priority : 120
    Preempt : YES   Delay Time : 0       
    Advertisement Timer : 1              
    Auth Type : NONE                     
    Check TTL : YES                      
                                         
  GigabitEthernet1/0/0 | Virtual Router 1
    VRRP Group : Active                  
    State : Standby                      
    Virtual IP : X.X.X.X          
    Virtual MAC : 0000-5e00-0101         
    Primary IP : 192.168.200.1           
    Priority Run : 120                   
    Priority Config : 100                
    Active Priority : 120                
    Preempt : YES   Delay Time : 0       
    Advertisement Timer : 1              
    Auth Type : NONE                     
    Check TTL : YES                      
                    

6. 再把主FW的外网接口开启时的双机状态如下:

HRP_S<internet-firewall>display hrp state
The firewall's config state is: STANDBY

Backup channel usage: 0.01%
Time elapsed after the last switchover: 0 days, 0 hours, 26 minutes
Current state of virtual routers configured as active:
             GigabitEthernet1/0/2    vrid   3 : standby
             GigabitEthernet1/0/1    vrid   2 : standby
             GigabitEthernet1/0/0    vrid   1 : standby

HRP_S<internet-firewall>display vrrp
  GigabitEthernet1/0/2 | Virtual Router 3
    VRRP Group : Active
    State : Standby
    Virtual IP : 10.238.38.20
    Virtual MAC : 0000-5e00-0103
    Primary IP : 10.238.38.17
    Priority Run : 120
    Priority Config : 100
    Active Priority : 120
    Preempt : YES   Delay Time : 0
    Advertisement Timer : 1
    Auth Type : NONE
    Check TTL : YES

  GigabitEthernet1/0/1 | Virtual Router 2
    VRRP Group : Active
    State : Standby
    Virtual IP : X.X.X.X
    Virtual MAC : 0000-5e00-0102
    Primary IP : 192.168.201.1
    Priority Run : 120
    Priority Config : 100
    Active Priority : 120
    Preempt : YES   Delay Time : 0       
    Advertisement Timer : 1              
    Auth Type : NONE                     
    Check TTL : YES                      
                                         
  GigabitEthernet1/0/0 | Virtual Router 1
    VRRP Group : Active                  
    State : Standby                      
    Virtual IP : X.X.X.X          
    Virtual MAC : 0000-5e00-0101         
    Primary IP : 192.168.200.1           
    Priority Run : 120                   
    Priority Config : 100                
    Active Priority : 120                
    Preempt : YES   Delay Time : 0       
    Advertisement Timer : 1              
    Auth Type : NONE                     
    Check TTL : YES                      
                    

处理过程

1.  查看下一代墙的hrp preempt是默认开启的,理论来说是会自动抢占的

2.  检查双机热备配置

3.  检查版本和补丁

4.  检查ip-link的配置。发现配置了ip-link,主用FW的ip-link的状态都是down的,怀疑是因为这个ip-link状态down导致主FW检测没有恢复正常,故而不能抢占为主。Ip-link理论来说应该是外网口up起来,有路由,就能够检测上行链路是通的。经确认:业务口配置内网地址,VRRP地址为公网地址,此种场景不能使用IP-LINK检测来实现双机的抢占。原因:当主备发生切换后,主机状态变为备机,备机变为主机。当前备机由于是内网地址,无法与外界通信,IP-LINK状态一直是down,因此无法抢占。

根因
业务口配置内网地址,VRRP地址为公网地址,此种场景不能使用IP-LINK检测来实现双机的抢占
解决方案
删除Ip-link检测配置
建议与总结

项目实施过程中要认真综合考虑各种技术的各种应用场景

END