Hello, today I'd like to share with you how to deal with the problem that the physical IP address of S7706 VRRP is unreachable.
Issue Description
Two S7706s are configured with two groups of VRRP, the upstream firewall is the VRRP100 of the vlanif 100, and the downstream S57 is the VRRP200 of the vlanif 200, the firewalls work in active/standby mode, the VRRP status is normal, the two S77s can ping each other through the physical addresses of the vlanif200 interfaces. The real IP addresses of the vlanif100 interfaces cannot ping each other.
The configuration and VRRP status are as follows:
S7706-1:
#
interface GigabitEthernet1/0/0
description TO-JNTXD-S7706-02
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet2/0/0
description TO-JNTXZX-USG6650-01
port link-type access
port default vlan 200
#
interface Vlanif100
ip address 10.x.x.2 255.255.255.x
vrrp vrid 100 virtual-ip 10.x.x.1
vrrp vrid 100 priority 200
#
interface Vlanif200
description TO-JNTXZX-USG6650-01
ip address 10.x.x.133 x.255.255.x
vrrp vrid 200 virtual-ip 10.x.x.132
vrrp vrid 200 priority 200
#
===============display vrrp===============
================================================
Vlanif100 | Virtual Router 100
State : Master
Virtual IP : 10.x.x.1
Master IP : 10.x.x.2
PriorityRun : 200
PriorityConfig : 200
MasterPriority : 200
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-xxxx-0164
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2017-02-15 07:32
Last change time : 2017-02-15 07:32
Vlanif200 | Virtual Router 200
State : Master
Virtual IP : 10.x.x.132
Master IP : 10.x.x.133
PriorityRun : 200
PriorityConfig : 200
MasterPriority : 200
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-xxxx
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2017-02-15 07:32
Last change time : 2017-02-15 07:32
S7706-2:
#
interface Vlanif100
ip address 10.x.x.3 255.255.255.x
vrrp vrid 100 virtual-ip 10.x.x.1
vrrp vrid 100 priority 150
#
interface Vlanif200
description TO-JNTXD-USG6650-02
ip address 10.x.x.134 x.255.x.x vrrp vrid 200 virtual-ip 10.x.x.x
#
===============display vrrp===============
================================================
Vlanif100 | Virtual Router 100
State : Backup
Virtual IP : 10.x.x.1
Master IP : 10.x.x.2
PriorityRun : 150
PriorityConfig : 150
MasterPriority : 200
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-xxxx
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2017-02-15 07:32
Last change time : 2017-02-15 07:32
Vlanif200 | Virtual Router 200
State : Backup
Virtual IP : 10.146.x.x
Master IP : 10.146.x.x
PriorityRun : 100
PriorityConfig : 100
MasterPriority : 200
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-xxxx-01c8
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2017-02-15 07:32
Last change time : 2017-02-15 07:32
Key Process
1. The VRRP status is normal, indicating that heartbeat packets can be normally exchanged between the two S77s, and the links between the two devices are available for normal communication but they cannot ping each other. Firstly check whether ARP entry is correct.
S77-1:
D 10.x.x.3 487b-xxxx-3f5b 100 GE1/0/0 02-16 08:43:12
S77-2:
D 10.x.x.2 487b-6b94-xxxx 100 GE1/0/1 02-16 08:44:10
You can see that ARP entries are learned from each other's heartbeat interfaces. Theoretically, they can be pinged, thus further check is required.
2. Currently, the ping operation fails. It is confirmed that there is problem in one of the devices returns packets or sends packets, so conduct the traffic statistics to confirm the fault point.
[JN-JNTXZX-S7706-01]dis tra po st in g 1/0/0 in
Interface: GigabitEthernet1/0/0
Traffic policy inbound: 3000
Rule number: 2
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 5
| Bytes: 530
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 5
| Bytes: 530
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
[JN-JNTXZX-S7706-01]dis tra po st in g 1/0/0 out
Interface: GigabitEthernet1/0/0
Traffic policy outbound: 3000
Rule number: 2
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
The traffic statistics show that the S7706-01 device has received packets but no packet is returned, therefore the problem stems from the S7706-01. Further check the following alarms on the device and find:
#Feb 16 2017 10:33:48 JN-JNTXZX-S7706-01 L2IFPPI/4/MAC_FLAPPING_ALARM:OID 1.3.6.1.4.1.2011.5.25.42.2.1.7.12 The MAC address has flap value. (L2IfPort=0, entPhysicalIndex=0, BaseTrapSeverity=4, BaseTrapProbableCause=549, BaseTrapEventType=1, MacAddr=0000-5e00-010a, VLANID=200, FormerIfDescName=GigabitEthernet1/0/0, CurrentIfDescName=GigabitEthernet2/0/0, DeviceName=JN-JNTXZX-S7706-01)
A large number of MAC addresses flap on the S7706-01, the floating port is connected to the G1/0/0 port on the firewall and port G2/0/0 connected to the S7706-02 port. It is suspected that the link is looped.
3. Check the firewall settings. Ensure that the firewall is in active/standby state and does not support transparent transmission of bpdu packets, the S77 cannot detect loops through the bpdu. As a result, services are looped, the MAC address flaps and cannot communicate with each other, because the firewall does not support the stacking feature similar to switches, it is recommended that the S77 switch be connected to two firewalls in two uplinks and allow transparent transmission of bpdu packets. The problem is solved after the dual upstream transmission is changed.
Root Cause
The firewall in active/standby mode does not support transparent transmission of bpdu packets. As a result, a network loop occurs and data cannot be normally forwarded.
Solutions
After the upstream link of the S77 is changed to two firewalls respectively, the problem is solved.
Suggestions and conclusions
On a VRRP network, except the master and backup VRRP devices, it is recommended that a single device be used as the peer device, to protect link backup services, upstream devices can be connected to different chassis of a stack device instead of connecting to two different devices.
If you have any problems, please post them in our Community. We are happy to solve them for you!
