Incorrect VRRP Configuration on a Low-End Firewall Leads to an HRP Switchover Failure

Publication Date:  2013-12-31 Views:  1466 Downloads:  0
Issue Description
Two firewalls form a VRRP group to the internal network. When the external link to a C7X00 is disconnected, the backup firewall becomes the master firewall and service traffic is switched to the new master firewall. During the test, when the link between the master firewall and C7X00 is disconnected, the switchover fails. 

Alarm Information
None
Handling Process
[USG] interface GigabitEthernet 1/0/0
[USG-GigabitEthernet1/0/0] ip address 10.48.3.35 27
[USG-GigabitEthernet1/0/0] vrrp vrid 21 virtual-ip 10.48.3.34
[USG-GigabitEthernet1/0/0] vrrp vrid 21 priority 110
[USG-GigabitEthernet1/0/0] vrrp vrid 21 track GigabitEthernet 1/0/1 reduced 20 /This command is rarely configured before. When link between the master firewall and C7X00 is disconnected, the firewall is still the master firewall to the internal network and cannot forward internal data to the external network.
[USG-GigabitEthernet1/0/0] quit

[USG] firewall zone trust
[USG-zone-trust] add interface GigabitEthernet 1/0/0 # Add the interface to a domain based on the network requirements.
[USG-zone-trust] quit

[USG] interface e2/0/1
[USG-Ethernet2/0/1] ip address 1.1.1.2 29
[USG-Ethernet2/0/1] vrrp vrid 31 virtual-ip 1.1.1.1
[USG-Ethernet2/0/1] quit

[USG] firewall zone dmz
[USG-zone-dmz] add interface Ethernet 2/0/1 # Add the interface to a domain based on the network requirements.
[USG-zone-dmz] quit

[USG] vrrp group 1
[USG-vrrpgroup-1] add interface Ethernet 2/0/1 vrrp vrid 31 data
[USG-vrrpgroup-1] add interface GigabitEthernet 1/0/0 vrrp vrid 21 data
[USG-vrrpgroup-1] vrrp-group enable
[USG-vrrpgroup-1] vrrp-group priority using-vrrppriority
[USG-vrrpgroup-1] vrrp-group preempt delay 20000
[USG-vrrpgroup-1] quit

[USG] hrp enable
[USG] hrp interface Ethernet 2/0/1
[USG] hrp ospf-cost adjust-enable

<USG> save
Backup firewall configuration:
[USG] interface GigabitEthernet 1/0/0
[USG-GigabitEthernet1/0/0] ip address 10.48.3.36 27
[USG-GigabitEthernet1/0/0] vrrp vrid 21 virtual-ip 10.48.3.34

[USG] firewall zone trust
[USG-zone-trust] add interface GigabitEthernet 1/0/0 # Add the interface to a domain based on the network requirements.
[USG-zone-trust] quit

[USG] interface e2/0/1
[USG-Ethernet2/0/1] ip address 1.1.1.3 29
[USG-Ethernet2/0/1] vrrp vrid 31 virtual-ip 1.1.1.1
[USG-Ethernet2/0/1] quit

[USG] firewall zone dmz
[USG-zone-dmz] add interface Ethernet 2/0/1 # Add the interface to a domain based on the network requirements.
[USG-zone-dmz] quit

[USG] vrrp group 1
[USG-vrrpgroup-1] add interface Ethernet 2/0/1 vrrp vrid 31 data
[USG-vrrpgroup-1] add interface GigabitEthernet 1/0/0 vrrp vrid 21 data
[USG-vrrpgroup-1] vrrp-group enable
[USG-vrrpgroup-1] vrrp-group priority using-vrrppriority
[USG-vrrpgroup-1] quit

[USG] hrp enable
[USG] hrp interface Ethernet 2/0/1
[USG] hrp ospf-cost adjust-enable
Root Cause
The VRRP configuration is incorrect, leading to an HRP switchover failure.
Suggestions
None

END