No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

E200E V3R1 VFW can not mirror session in VRRP

Publication Date:  2014-07-23  |   Views:  203  |   Downloads:  0  |   Author:  SU1003382494  |   Document ID:  EKB1000024161

Contents

Issue Description

Mirror session enable  and the session table does appear on the slave device however it does not seem to work, sessions reset if fail over and on inspecting the sessions they don't appear to be in a virtual firewall instance.  as follows:

on master:

snmp  VPN:srcl --> srcl 10.16.39.106:63670-->192.168.1.71:161
  snmp  VPN:srcl --> srcl 10.16.26.103:1029-->192.168.1.201:161
  snmp  VPN:srcl --> srcl 10.16.26.19:1038-->192.168.8.205:161
  snmp  VPN:srcl --> srcl 10.16.39.106:63670-->192.168.11.98:161
  snmp  VPN:srcl --> srcl 10.16.26.20:1038-->192.168.8.200:161
  snmp  VPN:srcl --> srcl 10.16.26.31:1039-->192.168.1.24:161


and on slave:

snmp  VPN:unknown --> unknown   Remote 10.16.26.19:1038-->192.168.8.205:161
  snmp  VPN:unknown --> unknown   Remote 10.16.39.106:63670-->192.168.11.99:161
  snmp  VPN:unknown --> unknown   Remote 10.16.26.103:1029-->192.168.1.201:161
  snmp  VPN:unknown --> unknown   Remote 10.16.26.20:1038-->192.168.1.202:161
  snmp  VPN:unknown --> unknown   Remote 10.16.26.20:1038-->192.168.1.24:161
  snmp  VPN:unknown --> unknown   Remote 10.16.26.128:1036-->192.168.1.24:161
  snmp  VPN:unknown --> unknown   Remote 10.16.26.128:1036-->192.168.8.200:161

Alarm Information

None

Handling Process

display ip vpn-instance verbose

Master Firewall
--------------------

HRP_M<xxxxxxxxx-FW-200E>display ip vpn-instance verbose
10:59:04  2013/01/17
  Total VPN-Instances configured : 3

  VPN-Instance Name and ID : crystal, 2
  Create date : 2012/10/25 14:21:51
  Up time : 83 days, 21 hours, 37 minutes and 37 seconds
  Route Distinguisher : 101:1
  Label policy : label per route

  VPN-Instance Name and ID : srcl, 3
  Create date : 2012/10/25 14:22:01
  Up time : 83 days, 21 hours, 37 minutes and 27 seconds
  Route Distinguisher : 102:1
  Export VPN Targets :  102:1
  Import VPN Targets :  102:1
  Label policy : label per route
  Interfaces : GigabitEthernet0/0/1.802, GigabitEthernet0/0/1.803

  VPN-Instance Name and ID : carpeo, 4
  Create date : 2012/12/12 11:29:54
  Up time : 35 days, 23 hours, 29 minutes and 20 seconds
  Route Distinguisher : 104:1
  Export VPN Targets :  104:1
  Import VPN Targets :  104:1
  Label policy : label per route         
  Interfaces : GigabitEthernet0/0/1.800, GigabitEthernet0/0/1.801


Slave Firewall
------------------

HRP_S<xxxxxxxx-FW-200E>display ip vpn-instance verbose
10:58:47  2013/01/17
  Total VPN-Instances configured : 3

  VPN-Instance Name and ID : carpeo, 2
  Create date : 2012/12/13 19:56:05
  Up time : 34 days, 23 hours, 03 minutes and 38 seconds
  Route Distinguisher : 104:1
  Export VPN Targets :  104:1
  Import VPN Targets :  104:1
  Label policy : label per route
  Interfaces : GigabitEthernet0/0/1.800, GigabitEthernet0/0/1.801

  VPN-Instance Name and ID : crystal, 4
  Create date : 2012/10/25 21:22:12
  Up time : 83 days, 21 hours, 37 minutes and 31 seconds
  Route Distinguisher : 101:1
  Label policy : label per route

  VPN-Instance Name and ID : srcl, 5
  Create date : 2012/10/25 21:22:22
  Up time : 83 days, 21 hours, 37 minutes and 21 seconds
  Route Distinguisher : 102:1
  Export VPN Targets :  102:1
  Import VPN Targets :  102:1
  Label policy : label per route         
  Interfaces : GigabitEthernet0/0/1.802, GigabitEthernet0/0/1.803

Root Cause

VFW establish at different sequence.

Suggestions

 Master & Slave FW has different VPN instance ID

           In Master :   VPN-Instance Name and ID : srcl, 3

           In Slave :     VPN-Instance Name and ID : srcl, 5

Restart both 2 Firewall can be the way to solve this issue,  Better restart the Slave Firewall at first, then restart the Master Firewall. To make sure the business is not impacted.