The physical IP address of S7706 VRRP is unreachable

76 0 2 0

Hello, today I'd like to share with you how to deal with the problem that the physical IP address of S7706 VRRP is unreachable.


Issue Description

1


Two S7706s are configured with two groups of VRRP, the upstream firewall is the VRRP100 of the vlanif 100, and the downstream S57 is the VRRP200 of the vlanif 200, the firewalls work in active/standby mode, the VRRP status is normal, the two S77s can ping each other through the physical addresses of the vlanif200 interfaces. The real IP addresses of the vlanif100 interfaces cannot ping each other.

The configuration and VRRP status are as follows:


S7706-1:
#
 interface GigabitEthernet1/0/0
 description TO-JNTXD-S7706-02
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
 interface GigabitEthernet2/0/0
 description TO-JNTXZX-USG6650-01
 port link-type access
 port default vlan 200
#
 interface Vlanif100
 ip address 10.x.x.2 255.255.255.x

 vrrp vrid 100 virtual-ip 10.x.x.1
 vrrp vrid 100 priority 200
#
 interface Vlanif200
 description TO-JNTXZX-USG6650-01
 ip address 10.x.x.133 x.255.255.x
 vrrp vrid 200 virtual-ip 10.x.x.132
 vrrp vrid 200 priority 200

===============display vrrp===============
================================================
  Vlanif100 | Virtual Router 100
    State : Master
    Virtual IP : 10.x.x.1
    Master IP : 10.x.x.2
    PriorityRun : 200
    PriorityConfig : 200
    MasterPriority : 200
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-xxxx-0164
    Check TTL : YES
    Config type : normal-vrrp
    Backup-forward : disabled
    Create time : 2017-02-15 07:32
    Last change time : 2017-02-15 07:32

  Vlanif200 | Virtual Router 200
    State : Master
    Virtual IP : 10.x.x.132
    Master IP : 10.x.x.133
    PriorityRun : 200
    PriorityConfig : 200
    MasterPriority : 200
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-xxxx
    Check TTL : YES
    Config type : normal-vrrp
    Backup-forward : disabled
    Create time : 2017-02-15 07:32
    Last change time : 2017-02-15 07:32


 S7706-2:
   #
   interface Vlanif100
   ip address 10.x.x.3 255.255.255.x 

  vrrp vrid 100 virtual-ip 10.x.x.1
   vrrp vrid 100 priority 150
  #


   interface Vlanif200
   description TO-JNTXD-USG6650-02
   ip address 10.x.x.134 x.255.x.x vrrp vrid 200 virtual-ip 10.x.x.x
  #
 ===============display vrrp===============
================================================
  Vlanif100 | Virtual Router 100
    State : Backup
    Virtual IP : 10.x.x.1
    Master IP : 10.x.x.2
    PriorityRun : 150
    PriorityConfig : 150
    MasterPriority : 200
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-xxxx
    Check TTL : YES
    Config type : normal-vrrp
    Backup-forward : disabled
    Create time : 2017-02-15 07:32
    Last change time : 2017-02-15 07:32

  Vlanif200 | Virtual Router 200
    State : Backup
    Virtual IP : 10.146.x.x
    Master IP : 10.146.x.x
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 200
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-xxxx-01c8
    Check TTL : YES
    Config type : normal-vrrp
    Backup-forward : disabled
    Create time : 2017-02-15 07:32
    Last change time : 2017-02-15 07:32


 

Key Process


1.   The VRRP status is normal, indicating that heartbeat packets can be normally exchanged between the two S77s, and the links between the two devices are available for normal communication but they cannot ping each other. Firstly check whether ARP entry is correct.


 S77-1:

D  10.x.x.3    487b-xxxx-3f5b 100  GE1/0/0                   02-16 08:43:12
S77-2

D  10.x.x.2    487b-6b94-xxxx 100  GE1/0/1                   02-16 08:44:10


You can see that ARP entries are learned from each other's heartbeat interfaces. Theoretically, they can be pinged, thus further check is required.

2.      Currently, the ping operation fails. It is confirmed that there is problem in one of the devices returns packets or sends packets, so conduct the traffic statistics to confirm the fault point.



[JN-JNTXZX-S7706-01]dis tra po st in g 1/0/0 in


 Interface: GigabitEthernet1/0/0
 Traffic policy inbound: 3000
 Rule number: 2
 Current status: success
 Statistics interval: 300
---------------------------------------------------------------------
 Board : 1
---------------------------------------------------------------------
 Matched          |      Packets:                             5
                  |      Bytes:                             530
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
   Passed         |      Packets:                             5
                  |      Bytes:                             530
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
   Dropped        |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
[JN-JNTXZX-S7706-01]dis tra po st in g 1/0/0 out

 Interface: GigabitEthernet1/0/0
 Traffic policy outbound: 3000
 Rule number: 2
 Current status: success
 Statistics interval: 300
---------------------------------------------------------------------
 Board : 1
---------------------------------------------------------------------
 Matched          |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
   Passed         |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
   Dropped        |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0


The traffic statistics show that the S7706-01 device has received packets but no packet is returned, therefore the problem stems from the S7706-01. Further check the following alarms on the device and find:


#Feb 16 2017 10:33:48 JN-JNTXZX-S7706-01 L2IFPPI/4/MAC_FLAPPING_ALARM:OID 1.3.6.1.4.1.2011.5.25.42.2.1.7.12 The MAC address has flap value. (L2IfPort=0, entPhysicalIndex=0, BaseTrapSeverity=4, BaseTrapProbableCause=549, BaseTrapEventType=1, MacAddr=0000-5e00-010a, VLANID=200, FormerIfDescName=GigabitEthernet1/0/0, CurrentIfDescName=GigabitEthernet2/0/0, DeviceName=JN-JNTXZX-S7706-01)


A large number of MAC addresses flap on the S7706-01, the floating port is connected to the G1/0/0 port on the firewall and port G2/0/0 connected to the S7706-02 port. It is suspected that the link is looped.

3.      Check the firewall settings. Ensure that the firewall is in active/standby state and does not support transparent transmission of bpdu packets, the S77 cannot detect loops through the bpdu. As a result, services are looped, the MAC address flaps and cannot communicate with each other, because the firewall does not support the stacking feature similar to switches, it is recommended that the S77 switch be connected to two firewalls in two uplinks and allow transparent transmission of bpdu packets. The problem is solved after the dual upstream transmission is changed.



Root Cause


The firewall in active/standby mode does not support transparent transmission of bpdu packets. As a result, a network loop occurs and data cannot be normally forwarded.


Solutions


After the upstream link of the S77 is changed to two firewalls respectively, the problem is solved.


Suggestions and conclusions


On a VRRP network, except the master and backup VRRP devices, it is recommended that a single device be used as the peer device, to protect link backup services, upstream devices can be connected to different chassis of a stack device instead of connecting to two different devices.



  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login