Procurve VRRP doest not failover

Hi All

I have two HP 5406zl switches with premium license installed as Cores switches in our business network.

Those two switches is holding our default gateway in vlan 1 interface, there is configured VRRP so that the default gateway should be working even if one switch is taken offline.

I'm used to configure HSRP on cisco equipment, where I use a uniqe IP on every router, and a virtual IP for the default gateway (HSRP instance)

The HP switches VRRP instrance is configured as this:

CORE1 (VRRP Master)
vlan 1
   ip ospf 10.31.45.1 area backbone
   vrrp vrid 1
      owner
      virtual-ip-address 10.31.45.1 255.255.255.0
      priority 255
      enable
      exit
   exit

CORE2 (VRRP backup)
vlan 1
   ip ospf 10.31.45.7 area backbone
   vrrp vrid 1
      backup
      virtual-ip-address 10.31.45.1 255.255.255.0
      enable
      exit
   exit

Open in new window

The 10.31.45.1 (our default gateway) is configure directly on the VLAN 1 interface on CORE1.
I can't understand how the VLAN can have the virtual VRRP IP configured directly on the interface. Thats not how HSRP works.

Yesterday is tried to shutdown the CORE1 switch, and i was expecting that the CORE2 switch would answer for the 10.31.45.1 address (VRRP failover) but i did't not, and our client could not reach their default gateway :/
I had to power on the CORE1 switch againg.
So now i'm asking you guys, how can I be sure that the 10.31.45.1 address will failover to CORE2 switch when taking the CORE1 switch offline??

Here some VRRP info from the switches:

CORE1:
ESB-HP-5406-Core-01#  sh vrrp

 VRRP Global Statistics Information

  VRRP Enabled           : Yes
  Protocol Version       : 2
  Invalid VRID Pkts Rx   : 0
  Checksum Error Pkts Rx : 0
  Bad Version Pkts Rx    : 0
  Virtual Routers Respond To Ping Requests : No


 VRRP Virtual Router Statistics Information

  Vlan ID                  : 1
  Virtual Router ID        : 1
  State                    : Master
  Up Time                  : 14 hours
  Virtual MAC Address      : 00005e-000101
  Master's IP Address      : 10.31.45.1
  Associated IP Addr Count : 1          Near Failovers            : 0
  Advertise Pkts Rx        : 0          Become Master             : 1
  Zero Priority Rx         : 0          Zero Priority Tx          : 0
  Bad Length Pkts          : 0          Bad Type Pkts             : 0
  Mismatched Interval Pkts : 0          Mismatched Addr List Pkts : 0
  Mismatched IP TTL Pkts   : 0          Mismatched Auth Type Pkts : 0

Open in new window

CORE2:
SB-HP-5406-Core-02# sh vrrp

 VRRP Global Statistics Information

  VRRP Enabled           : Yes
  Protocol Version       : 2
  Invalid VRID Pkts Rx   : 0
  Checksum Error Pkts Rx : 0
  Bad Version Pkts Rx    : 0


 VRRP Virtual Router Statistics Information

  Vlan ID                  : 1
  Virtual Router ID        : 1
  State                    : Backup
  Up Time                  : 104 days
  Virtual MAC Address      : 00005e-000101
  Master's IP Address      : 10.31.45.1
  Associated IP Addr Count : 1          Near Failovers            : 0
  Advertise Pkts Rx        : 9055263    Become Master             : 2
  Zero Priority Rx         : 0          Zero Priority Tx          : 0
  Bad Length Pkts          : 0          Bad Type Pkts             : 0
  Mismatched Interval Pkts : 0          Mismatched Addr List Pkts : 0
  Mismatched IP TTL Pkts   : 0          Mismatched Auth Type Pkts : 0

Open in new window


Best regards,
Steffen
pfpoulsenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RKinspCommented:
Hello, you config looks good, although I don't think you need the priority command on the first Core (it is the owner, therefore has high priority).

Also, you need to use the virtual ping command:
router vrrp virtual-ip-ping

So that the backup will respond to pings on the virtual IP.

Were you testing just pinging or passthrough traffic? If it was just ping, there is a chance it was working but you couldn't tell because of this missing command.
RKinspCommented:
the virtual ip ping command should be set on both boxes....
pfpoulsenAuthor Commented:
So with the virtuel ip ping command, the backup router(switch) will respond to ICMP eventhroug its not the IP owner?
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

RKinspCommented:
Yes, but only when it is the MASTER.

The problem is that without that command, the backup won't respond to ICMP directed to the virtual IP even when the master is down, although it is routing through that IP. Only the OWNER will respond without the command (switch who has the physical IP = virtual IP)

From the manual:

"When in compliance with RFC 3768, only owner VRs reply to ping requests (ICMP echo requests) to the Virtual IP address (VIP). When the virtual IP ping option is enabled, a Backup VR operating as the Master can respond to ping requests made to the VIP. This makes it possible to test the availability of the default gateway with ping. A non-owner VR that is not master drops all packets to the VIP."
pfpoulsenAuthor Commented:
I think i would be better to take the current Master and IP-owner offline. Then wait for the Backup to become master, and then make the backup the IP-owner.

Is that possible?
TimotiStDatacenter TechnicianCommented:
I might be wrong, but don't you need to configure an IP address on the vlan interface, besides the VRRP config? Like 10.31.45.2 for the backup box?

Tamas
RKinspCommented:
Totally agree, I just thought he was using 10.31.45.7 on his backup and just didn't put the 'ip address 10.31.45.7 255.255.255.0' from his show run on here.

in any case, you do need the "ip address x.x.x.x y.y.y.y" line in both Core1 and Core2, since Core1 is the owner the IP has to be the same as the virtual IP.
RKinspCommented:
pfpoulsen - No, you shoudn't switch around owners. This would require you to switch the physical IP of the box, which you really don't want to have to do on every failover.

You can add the command for virtual ip ping, it is a "risk free" command (meaning it will not affect anything you have done so far) and when you have time, you can test the fail over.

Also, like Tamas mentioned, make sure you have your physical IPs configured and not just a Virtual IP.
pfpoulsenAuthor Commented:
But I need to take the CORE1 switch out of production for some time (we are currrently moving our datacenter)

So If the CORE2 is the primary switch for some time, would'nt it be better that the CORE2 is the IP-owner?
RKinspCommented:
Well, in truth it doesn't really matter. Being the owner just means that you have the same physical IP as Virtual IP on one box. This way you only use up 2 IP addresses instead of 3 and the owner has a higher priority by default, meaning you have less to configure.

In some situations you use 3 different IPs which might be interesting if you want to test pinging Virtual IP and 2 separate physical IPs, but you would have to set priorities manually.

If you want, you can set Core 2 as the owner, however I still recommend using that command because in a failover scenario, you want to be able to ping the virtual IP for testing. The reason HP has it as a separate command is because of the way the standard, VRRP, is written.

Best of luck,
RK

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pfpoulsenAuthor Commented:
OK - Thank you.
RKinspCommented:
Thanks for the points. Hope everything works out.

-RK
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.