FAQ-NGFW HRP state initialize

Publication Date:  2015-02-15 Views:  531 Downloads:  0
Issue Description

Symptom:

After configured HRP and interface to interconnect two firewalls, but HRP didn't come up and still in initialize state, it casues configuration and session not being synchronized.

Network Diagram:



Initial HRP Configuration on Firewall (Active):

hrp enable
undo hrp ospfv3-cost adjust-enable
hrp interface Eth-Trunk1
#
interface Eth-Trunk1
ip address 172.16.1.2 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
ip address 172.16.2.2 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/6
eth-trunk 1
#
interface GigabitEthernet1/0/7
eth-trunk 1
#
security-policy
default action permit
#
#
firewall zone trust
set priority 85
add interface Eth-Trunk1
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1


Initial HRP Configuration on Firewall (Standby):

hrp enable
undo hrp ospfv3-cost adjust-enable
hrp interface Eth-Trunk1
#
interface Eth-Trunk1
ip address 172.16.1.3 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/0
ip address 172.16.2.3 255.255.255.0
#
interface GigabitEthernet1/0/1
ip address 10.1.1.3 255.255.255.0
#
interface GigabitEthernet1/0/6
eth-trunk 1
#
interface GigabitEthernet1/0/7
eth-trunk 1
#
security-policy
default action permit
#
#
firewall zone trust
set priority 85
add interface Eth-Trunk1
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/1

Solution

Troubleshooting Process: 

[USG6300]display hrp state

The firewall's config state is: INITIALIZE

Backup channel usage: 0.01%

Time elapsed after the last switchover: 0 days, 0 hours, 59 minutes

[USG6300]dis hrp inter

Eth-Trunk1 : 172.16.1.3 running

<USG6300>ping 172.16.1.3
  PING 172.16.1.3: 56  data bytes, press CTRL_C to break
    Reply from 172.16.1.3: bytes=56 Sequence=1 ttl=255 time=1 ms
    Reply from 172.16.1.3: bytes=56 Sequence=2 ttl=255 time=1 ms
    Reply from 172.16.1.3: bytes=56 Sequence=3 ttl=255 time=1 ms
    Reply from 172.16.1.3: bytes=56 Sequence=4 ttl=255 time=1 ms
    Reply from 172.16.1.3: bytes=56 Sequence=5 ttl=255 time=1 ms


Two firewall Ping successfully !!!

<USG6300>dis hrp group
09:59:04  2014/12/09
Active group status:
   Group enabled:         no
   State:                 initialize

   Priority running:      65001
   Total VRRP members:    0
   Hello interval(ms):    1000
   Preempt enabled:       no
   Preempt delay(s):      -
   Tcp check delay(s):    0
   Peer group available:  0
   Peer's member same:    yes
Standby group status:
   Group enabled:         no
   State:                 initialize

   Priority running:      65000
   Total VRRP members:    0
   Hello interval(ms):    1000
   Preempt enabled:       no
   Preempt delay(s):      -
   Tcp check delay(s):    0
   Peer group available:  0
   Peer's member same:    yes

** Found the hrp state is in INITIALIZE, NO group enable, NO vrrp?

Solution:

Configure VRRP group on interface and HRP track active to enable VGMP

[FW-1]int g1/0/1
[FW-1-GigabitEthernet1/0/1]vrrp vrid 2 virtual-ip 10.1.1.1 active
[FW-1-GigabitEthernet1/0/1]

2014-12-09 11:51:17 FW-1 %%01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet1/0/1, Virtual Router 2 : CREATED changed to INITIALIZE!
2014-12-09 11:51:17 FW-1 %%01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet1/0/1, Virtual Router 2 : INITIALIZE changed to STANDBY!
2014-12-09 11:51:18 FW-1 %%01VRRP/4/STATEWARNING(l): Interface: GigabitEthernet1/0/1, Virtual Router 2 : STANDBY changed to ACTIVE!

[FW-1-GigabitEthernet1/0/1]hrp track active
[FW-1-GigabitEthernet1/0/1]dis this
#
interface GigabitEthernet1/0/1
ip address 10.1.1.16 255.255.255.0
vrrp vrid 2 virtual-ip 10.1.1.1 active
hrp track active
#
HRP_A[FW-1]dis hrp state
The firewall's config state is: ACTIVE

** Follow this step and configure on the standby firewall to complete the whole process

** Remember the vrrp configuration on standby firewall is "standby" and "HRP track standby"

END