No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Services Are Interrupted Because the Physical Member Interfaces of the Backup Channel Eth-Trunk Are Inconsistent in Hot Standby Load Balancing Mode

Publication Date:  2019-07-04 Views:  202 Downloads:  0

Issue Description

Firewalls work in hot standby load balancing mode. An intranet server provides the web page service. When an Internet user accesses the server, the access is slow or even fails. Intranet users can access the server properly.

Handling Process

Step 1: Run the display hrp state command to check the active/standby status of each firewall. The firewall status is normal.
Step 2: Run the display firewall session table or display firewall ipv6 session table command to check the session tables of the two firewalls. The number of sessions on the two firewalls is greatly different.
Step 3: Check whether quick session backup is enabled on the firewalls. The function has been enabled.
Step 4: Check the backup channel configuration. It is found that the two firewalls use the Eth-Trunk backup channel. Three physical member interfaces are specified on the active firewall, and only two on standby firewalls. (Compared with the active firewall, GigabitEthernet1/0/6 is not specified on the standby firewall.)
When the firewall backs up sessions through the backup channel, multiple physical interfaces of the Eth-Trunk interface are used to send backup packets in turn. The standby firewall does not bind GigabitEthernet1/0/6 to the Eth-Trunk. When the active firewall backs up sessions from GigabitEthernet1/0/6, GigabitEthernet1/0/6 of the standby firewall discards the backup packets. The sessions of the active firewall cannot be completely backed up to the standby firewall.
The hot standby firewalls work in load balancing mode. The forward and reverse paths of service packets may be different. If sessions are not backed up to the standby firewall, the standby firewall discards response packets because they cannot match any session.
Step 5: Bind GigabitEthernet1/0/6 on the standby firewall to the Eth-Trunk interface. The fault is rectified.

Root Cause

 Hot standby firewalls work in active/active state.
 The hot standby firewalls work in load balancing mode. The forward and reverse paths may be different, and quick session backup is disabled.
 The backup channel is faulty. As a result, some sessions fail to be backed up.

Suggestions

When an Eth-Trunk is used as the backup channel, ensure that the same physical interfaces are bound to the Eth-Trunk interfaces on the two firewalls. Otherwise, the sessions of the active firewall cannot be completely backed up to the standby firewall.
If member interfaces of an Eth-Trunk interface are different and hot standby firewalls work in load balancing mode, services may be interrupted. If the member interfaces of an Eth-Trunk interface are different on hot standby firewalls in active/standby mode, some services are interrupted after an active/standby firewall switchover.

END