Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Procurve VRRP doest not failover

Posted on 2012-03-20
12
5,128 Views
Last Modified: 2012-03-23
Hi All

I have two HP 5406zl switches with premium license installed as Cores switches in our business network.

Those two switches is holding our default gateway in vlan 1 interface, there is configured VRRP so that the default gateway should be working even if one switch is taken offline.

I'm used to configure HSRP on cisco equipment, where I use a uniqe IP on every router, and a virtual IP for the default gateway (HSRP instance)

The HP switches VRRP instrance is configured as this:

CORE1 (VRRP Master)
vlan 1
   ip ospf 10.31.45.1 area backbone
   vrrp vrid 1
      owner
      virtual-ip-address 10.31.45.1 255.255.255.0
      priority 255
      enable
      exit
   exit

CORE2 (VRRP backup)
vlan 1
   ip ospf 10.31.45.7 area backbone
   vrrp vrid 1
      backup
      virtual-ip-address 10.31.45.1 255.255.255.0
      enable
      exit
   exit

Open in new window

The 10.31.45.1 (our default gateway) is configure directly on the VLAN 1 interface on CORE1.
I can't understand how the VLAN can have the virtual VRRP IP configured directly on the interface. Thats not how HSRP works.

Yesterday is tried to shutdown the CORE1 switch, and i was expecting that the CORE2 switch would answer for the 10.31.45.1 address (VRRP failover) but i did't not, and our client could not reach their default gateway :/
I had to power on the CORE1 switch againg.
So now i'm asking you guys, how can I be sure that the 10.31.45.1 address will failover to CORE2 switch when taking the CORE1 switch offline??

Here some VRRP info from the switches:

CORE1:
ESB-HP-5406-Core-01#  sh vrrp

 VRRP Global Statistics Information

  VRRP Enabled           : Yes
  Protocol Version       : 2
  Invalid VRID Pkts Rx   : 0
  Checksum Error Pkts Rx : 0
  Bad Version Pkts Rx    : 0
  Virtual Routers Respond To Ping Requests : No


 VRRP Virtual Router Statistics Information

  Vlan ID                  : 1
  Virtual Router ID        : 1
  State                    : Master
  Up Time                  : 14 hours
  Virtual MAC Address      : 00005e-000101
  Master's IP Address      : 10.31.45.1
  Associated IP Addr Count : 1          Near Failovers            : 0
  Advertise Pkts Rx        : 0          Become Master             : 1
  Zero Priority Rx         : 0          Zero Priority Tx          : 0
  Bad Length Pkts          : 0          Bad Type Pkts             : 0
  Mismatched Interval Pkts : 0          Mismatched Addr List Pkts : 0
  Mismatched IP TTL Pkts   : 0          Mismatched Auth Type Pkts : 0

Open in new window

CORE2:
SB-HP-5406-Core-02# sh vrrp

 VRRP Global Statistics Information

  VRRP Enabled           : Yes
  Protocol Version       : 2
  Invalid VRID Pkts Rx   : 0
  Checksum Error Pkts Rx : 0
  Bad Version Pkts Rx    : 0


 VRRP Virtual Router Statistics Information

  Vlan ID                  : 1
  Virtual Router ID        : 1
  State                    : Backup
  Up Time                  : 104 days
  Virtual MAC Address      : 00005e-000101
  Master's IP Address      : 10.31.45.1
  Associated IP Addr Count : 1          Near Failovers            : 0
  Advertise Pkts Rx        : 9055263    Become Master             : 2
  Zero Priority Rx         : 0          Zero Priority Tx          : 0
  Bad Length Pkts          : 0          Bad Type Pkts             : 0
  Mismatched Interval Pkts : 0          Mismatched Addr List Pkts : 0
  Mismatched IP TTL Pkts   : 0          Mismatched Auth Type Pkts : 0

Open in new window


Best regards,
Steffen
0
Comment
Question by:pfpoulsen
  • 7
  • 4
12 Comments
 
LVL 6

Expert Comment

by:RKinsp
ID: 37744360
Hello, you config looks good, although I don't think you need the priority command on the first Core (it is the owner, therefore has high priority).

Also, you need to use the virtual ping command:
router vrrp virtual-ip-ping

So that the backup will respond to pings on the virtual IP.

Were you testing just pinging or passthrough traffic? If it was just ping, there is a chance it was working but you couldn't tell because of this missing command.
0
 
LVL 6

Expert Comment

by:RKinsp
ID: 37744363
the virtual ip ping command should be set on both boxes....
0
 

Author Comment

by:pfpoulsen
ID: 37744490
So with the virtuel ip ping command, the backup router(switch) will respond to ICMP eventhroug its not the IP owner?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 6

Expert Comment

by:RKinsp
ID: 37745352
Yes, but only when it is the MASTER.

The problem is that without that command, the backup won't respond to ICMP directed to the virtual IP even when the master is down, although it is routing through that IP. Only the OWNER will respond without the command (switch who has the physical IP = virtual IP)

From the manual:

"When in compliance with RFC 3768, only owner VRs reply to ping requests (ICMP echo requests) to the Virtual IP address (VIP). When the virtual IP ping option is enabled, a Backup VR operating as the Master can respond to ping requests made to the VIP. This makes it possible to test the availability of the default gateway with ping. A non-owner VR that is not master drops all packets to the VIP."
0
 

Author Comment

by:pfpoulsen
ID: 37746379
I think i would be better to take the current Master and IP-owner offline. Then wait for the Backup to become master, and then make the backup the IP-owner.

Is that possible?
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37746759
I might be wrong, but don't you need to configure an IP address on the vlan interface, besides the VRRP config? Like 10.31.45.2 for the backup box?

Tamas
0
 
LVL 6

Expert Comment

by:RKinsp
ID: 37747761
Totally agree, I just thought he was using 10.31.45.7 on his backup and just didn't put the 'ip address 10.31.45.7 255.255.255.0' from his show run on here.

in any case, you do need the "ip address x.x.x.x y.y.y.y" line in both Core1 and Core2, since Core1 is the owner the IP has to be the same as the virtual IP.
0
 
LVL 6

Expert Comment

by:RKinsp
ID: 37747782
pfpoulsen - No, you shoudn't switch around owners. This would require you to switch the physical IP of the box, which you really don't want to have to do on every failover.

You can add the command for virtual ip ping, it is a "risk free" command (meaning it will not affect anything you have done so far) and when you have time, you can test the fail over.

Also, like Tamas mentioned, make sure you have your physical IPs configured and not just a Virtual IP.
0
 

Author Comment

by:pfpoulsen
ID: 37750140
But I need to take the CORE1 switch out of production for some time (we are currrently moving our datacenter)

So If the CORE2 is the primary switch for some time, would'nt it be better that the CORE2 is the IP-owner?
0
 
LVL 6

Accepted Solution

by:
RKinsp earned 500 total points
ID: 37752775
Well, in truth it doesn't really matter. Being the owner just means that you have the same physical IP as Virtual IP on one box. This way you only use up 2 IP addresses instead of 3 and the owner has a higher priority by default, meaning you have less to configure.

In some situations you use 3 different IPs which might be interesting if you want to test pinging Virtual IP and 2 separate physical IPs, but you would have to set priorities manually.

If you want, you can set Core 2 as the owner, however I still recommend using that command because in a failover scenario, you want to be able to ping the virtual IP for testing. The reason HP has it as a separate command is because of the way the standard, VRRP, is written.

Best of luck,
RK
0
 

Author Closing Comment

by:pfpoulsen
ID: 37754934
OK - Thank you.
0
 
LVL 6

Expert Comment

by:RKinsp
ID: 37758449
Thanks for the points. Hope everything works out.

-RK
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Alcatel Lucent OS6450 switch randomly reboots 4 68
Cisco IOS cempMemBufferPeak  notification SNMP 5 63
CISCO Smartnet agreement 5 53
Install additional HP switch 1 45
Transparency shows that a company is the kind of business that it wants people to think it is.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question