Solved

Procurve VRRP doest not failover

Posted on 2012-03-20
12
4,961 Views
Last Modified: 2012-03-23
Hi All

I have two HP 5406zl switches with premium license installed as Cores switches in our business network.

Those two switches is holding our default gateway in vlan 1 interface, there is configured VRRP so that the default gateway should be working even if one switch is taken offline.

I'm used to configure HSRP on cisco equipment, where I use a uniqe IP on every router, and a virtual IP for the default gateway (HSRP instance)

The HP switches VRRP instrance is configured as this:

CORE1 (VRRP Master)
vlan 1
   ip ospf 10.31.45.1 area backbone
   vrrp vrid 1
      owner
      virtual-ip-address 10.31.45.1 255.255.255.0
      priority 255
      enable
      exit
   exit

CORE2 (VRRP backup)
vlan 1
   ip ospf 10.31.45.7 area backbone
   vrrp vrid 1
      backup
      virtual-ip-address 10.31.45.1 255.255.255.0
      enable
      exit
   exit

Open in new window

The 10.31.45.1 (our default gateway) is configure directly on the VLAN 1 interface on CORE1.
I can't understand how the VLAN can have the virtual VRRP IP configured directly on the interface. Thats not how HSRP works.

Yesterday is tried to shutdown the CORE1 switch, and i was expecting that the CORE2 switch would answer for the 10.31.45.1 address (VRRP failover) but i did't not, and our client could not reach their default gateway :/
I had to power on the CORE1 switch againg.
So now i'm asking you guys, how can I be sure that the 10.31.45.1 address will failover to CORE2 switch when taking the CORE1 switch offline??

Here some VRRP info from the switches:

CORE1:
ESB-HP-5406-Core-01#  sh vrrp

 VRRP Global Statistics Information

  VRRP Enabled           : Yes
  Protocol Version       : 2
  Invalid VRID Pkts Rx   : 0
  Checksum Error Pkts Rx : 0
  Bad Version Pkts Rx    : 0
  Virtual Routers Respond To Ping Requests : No


 VRRP Virtual Router Statistics Information

  Vlan ID                  : 1
  Virtual Router ID        : 1
  State                    : Master
  Up Time                  : 14 hours
  Virtual MAC Address      : 00005e-000101
  Master's IP Address      : 10.31.45.1
  Associated IP Addr Count : 1          Near Failovers            : 0
  Advertise Pkts Rx        : 0          Become Master             : 1
  Zero Priority Rx         : 0          Zero Priority Tx          : 0
  Bad Length Pkts          : 0          Bad Type Pkts             : 0
  Mismatched Interval Pkts : 0          Mismatched Addr List Pkts : 0
  Mismatched IP TTL Pkts   : 0          Mismatched Auth Type Pkts : 0

Open in new window

CORE2:
SB-HP-5406-Core-02# sh vrrp

 VRRP Global Statistics Information

  VRRP Enabled           : Yes
  Protocol Version       : 2
  Invalid VRID Pkts Rx   : 0
  Checksum Error Pkts Rx : 0
  Bad Version Pkts Rx    : 0


 VRRP Virtual Router Statistics Information

  Vlan ID                  : 1
  Virtual Router ID        : 1
  State                    : Backup
  Up Time                  : 104 days
  Virtual MAC Address      : 00005e-000101
  Master's IP Address      : 10.31.45.1
  Associated IP Addr Count : 1          Near Failovers            : 0
  Advertise Pkts Rx        : 9055263    Become Master             : 2
  Zero Priority Rx         : 0          Zero Priority Tx          : 0
  Bad Length Pkts          : 0          Bad Type Pkts             : 0
  Mismatched Interval Pkts : 0          Mismatched Addr List Pkts : 0
  Mismatched IP TTL Pkts   : 0          Mismatched Auth Type Pkts : 0

Open in new window


Best regards,
Steffen
0
Comment
Question by:pfpoulsen
  • 7
  • 4
12 Comments
 
LVL 6

Expert Comment

by:RKinsp
Comment Utility
Hello, you config looks good, although I don't think you need the priority command on the first Core (it is the owner, therefore has high priority).

Also, you need to use the virtual ping command:
router vrrp virtual-ip-ping

So that the backup will respond to pings on the virtual IP.

Were you testing just pinging or passthrough traffic? If it was just ping, there is a chance it was working but you couldn't tell because of this missing command.
0
 
LVL 6

Expert Comment

by:RKinsp
Comment Utility
the virtual ip ping command should be set on both boxes....
0
 

Author Comment

by:pfpoulsen
Comment Utility
So with the virtuel ip ping command, the backup router(switch) will respond to ICMP eventhroug its not the IP owner?
0
 
LVL 6

Expert Comment

by:RKinsp
Comment Utility
Yes, but only when it is the MASTER.

The problem is that without that command, the backup won't respond to ICMP directed to the virtual IP even when the master is down, although it is routing through that IP. Only the OWNER will respond without the command (switch who has the physical IP = virtual IP)

From the manual:

"When in compliance with RFC 3768, only owner VRs reply to ping requests (ICMP echo requests) to the Virtual IP address (VIP). When the virtual IP ping option is enabled, a Backup VR operating as the Master can respond to ping requests made to the VIP. This makes it possible to test the availability of the default gateway with ping. A non-owner VR that is not master drops all packets to the VIP."
0
 

Author Comment

by:pfpoulsen
Comment Utility
I think i would be better to take the current Master and IP-owner offline. Then wait for the Backup to become master, and then make the backup the IP-owner.

Is that possible?
0
 
LVL 17

Expert Comment

by:TimotiSt
Comment Utility
I might be wrong, but don't you need to configure an IP address on the vlan interface, besides the VRRP config? Like 10.31.45.2 for the backup box?

Tamas
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Expert Comment

by:RKinsp
Comment Utility
Totally agree, I just thought he was using 10.31.45.7 on his backup and just didn't put the 'ip address 10.31.45.7 255.255.255.0' from his show run on here.

in any case, you do need the "ip address x.x.x.x y.y.y.y" line in both Core1 and Core2, since Core1 is the owner the IP has to be the same as the virtual IP.
0
 
LVL 6

Expert Comment

by:RKinsp
Comment Utility
pfpoulsen - No, you shoudn't switch around owners. This would require you to switch the physical IP of the box, which you really don't want to have to do on every failover.

You can add the command for virtual ip ping, it is a "risk free" command (meaning it will not affect anything you have done so far) and when you have time, you can test the fail over.

Also, like Tamas mentioned, make sure you have your physical IPs configured and not just a Virtual IP.
0
 

Author Comment

by:pfpoulsen
Comment Utility
But I need to take the CORE1 switch out of production for some time (we are currrently moving our datacenter)

So If the CORE2 is the primary switch for some time, would'nt it be better that the CORE2 is the IP-owner?
0
 
LVL 6

Accepted Solution

by:
RKinsp earned 500 total points
Comment Utility
Well, in truth it doesn't really matter. Being the owner just means that you have the same physical IP as Virtual IP on one box. This way you only use up 2 IP addresses instead of 3 and the owner has a higher priority by default, meaning you have less to configure.

In some situations you use 3 different IPs which might be interesting if you want to test pinging Virtual IP and 2 separate physical IPs, but you would have to set priorities manually.

If you want, you can set Core 2 as the owner, however I still recommend using that command because in a failover scenario, you want to be able to ping the virtual IP for testing. The reason HP has it as a separate command is because of the way the standard, VRRP, is written.

Best of luck,
RK
0
 

Author Closing Comment

by:pfpoulsen
Comment Utility
OK - Thank you.
0
 
LVL 6

Expert Comment

by:RKinsp
Comment Utility
Thanks for the points. Hope everything works out.

-RK
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now