Scribd
Upload
70 views52 pages

VRRP Troubleshooting Guide: Part Number: 5998-4043

Uploaded by

Ivaylo Velikov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views52 pages

VRRP Troubleshooting Guide: Part Number: 5998-4043

Uploaded by

Ivaylo Velikov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 52

VRRP Troubleshooting Guide

Abstract
The main purpose of this guide is to illustrate various issues encountered while configuring VRRP on HP routers.
This troubleshooting guide discusses ways of analyzing a problem and the corrective measures to resolve the issue
for both ProVision and Comware. This guide assumes that readers are familiar with the OSI layer and IP routing
protocols.

Part number: 5998-4043

1
© Copyright 2012 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

2
Contents
1 VRRP Overview ····················································································································································· 5
Common Designs······························································································································································ 5
Layer 2 (Bridged) Distribution/Access···························································································································· 6
Partial configurations ··············································································································································· 8
Layer 3 (Routed) Distribution/Access ···························································································································14
MESHING········································································································································································23
VRRP in Conjunction with a Routing Protocol ··············································································································27
2 Troubleshooting ··················································································································································· 29
Overview – Basic Troubleshooting ·······························································································································29
3 Configuration Issues ············································································································································ 33
VRRP is not enabled globally. ·······································································································································33
Reason: ···································································································································································33
Troubleshoot: ··························································································································································33
Solution: ··································································································································································33
Verify: ······································································································································································33
VRRP is not enabled for a VRID. VRID is stuck in the Initialize state (ProVision) ·····················································34
Reason: ···································································································································································34
Troubleshoot: ··························································································································································35
Solution: ··································································································································································35
Verify: ······································································································································································35
VRRP is not enabled for a VRID. VRID is stuck in Initialize state (Comware) ··························································36
Reason: ···································································································································································36
Troubleshoot: ··························································································································································36
Solution: ··································································································································································37
When Disabling or Removing VRRP from the Owner, Duplicate IP Addresses are logged. ··································37
Troubleshoot: ··························································································································································37
Solution: ··································································································································································38
More than one router in a VRRP VRID is claiming to be Master. ··············································································39
Reason: ···································································································································································39
Troubleshoot: ··························································································································································39
Solution: ··································································································································································42
More than one router in a VRRP VRID is claiming to be Master. ··············································································42
Reason: ···································································································································································42
Troubleshoot: ··························································································································································42
Solution: ··································································································································································43
More than one router in a VRRP VRID is claiming to be Master. ··············································································43
Reason: ···································································································································································43
Troubleshoot: ··························································································································································44
Solution: ··································································································································································45
More than one router in a VRRP VRID is claiming to be Master. ··············································································45
Reason: ···································································································································································45
Troubleshoot: ··························································································································································45
Solution: ··································································································································································45
4 Environmental Issues ··········································································································································· 46
More than one router in a VRRP VRID is claiming to be Master. This is occurring intermittently. ························46
Reason: ···································································································································································46

3
Troubleshoot: ··························································································································································46
More than one router in a VRRP VRID is claiming to be Master. This is occurring intermittently. ························48
Reason: ···································································································································································48
Troubleshoot: ··························································································································································48
5 VRRP Behavior ····················································································································································· 51
VRRP Backup routers are not sending VRRP packets. ·································································································51
Reason: ···································································································································································51
When a VRRP Backup Router transitions to the Master state, the VIP cannot be pinged. (ProVision) ·················51
Reason: ···································································································································································51
Troubleshoot (Determine that new Master router is up): ···················································································51
Solution: ··································································································································································52

4
1 VRRP Overview

Virtual Router Redundancy Protocol (VRRP) is a first hop redundancy protocol. In many networks,
edge devices are often configured to send packets to a statically configured default gateway. If
this gateway becomes unavailable, the devices that use it as their first-hop router become isolated
from the network.
VRRP uses dynamic failover to ensure the availability of an end node’s default router. This is
done by assigning the IP address used as the default gateway to a “virtual router”, or VR. The VR
includes:
• An Owner router assigned to forward traffic designated for the virtual router. If the Owner is
forwarding traffic for the VR, it is the Master router for that VR. The Owner router’s physical
IP address is the same as the Virtual IP address of the VR.
• One or more prioritized Backup routers. If a Backup is forwarding traffic for the VR, it has
replaced the Owner as the Master router for that VR. In the non-failover state Backup routers
sit idle waiting to take control in the event of a failover.
For more information about VRRP, see the appropriate Comware or ProVision manual.

Common Designs
VRRP is generally deployed at the Distribution Layer, since these routers are normally the default
gateways for PCs and servers on the network. The Core layer generally does not have PCs and
servers directly connected to it, so VRRP is not necessary. The Access Layer is generally Layer 2
only and does not route.
HP recommends two common VRRP designs:
• Layer 2 (Bridged) Distribution/Access
• Layer 3 (Routed) Distribution/Access

5
Layer 2 (Bridged) Distribution/Access
This design is the more flexible of the two designs. VLANs are not restrained to one Access
switch. Any VLAN can be present on any number of Access switches. As can be seen in Figure
1 and Figure 2, there are several places where Layer 2 loops can occur.
Figure 1 Comware Bridged Access

This design requires that a Layer 2 Loop prevention protocol be utilized. On Comware devices,
MSTP is the recommended Layer 2 Loop Prevention protocol. On ProVision devices, MSTP is
recommended, but Meshing is also supported. MSTP is a standards based protocol. Meshing is
an HP proprietary protocol.

6
Figure 2 ProVision Bridged Access

When implementing a multi-vendor network, MSTP is recommended. Meshing can be utilized


when a network is completely ProVision devices, load balancing of Layer 2 links is necessary,
and links must have a more efficient utilization than with MSTP. (MESHING is discussed later in
this document.)
When designing this type of network, it is important to remember that a Layer 3 protocol like
VRRP is still dependent on the underlying Layer 2 topology.
Best Practice:
The Distribution Router that is normally the Master for a VLAN should also be the root for that
VLAN’s MSTP instance. For Example, Switch 1 is the Master for VLAN 10. Assume that VLAN
10 is in instance 1. Switch 1 should be assigned the root for instance 1. This will ensure that no
ports on Switch 1 (Instance 1) are blocking. If Switch 2 is not the root, it is possible that traffic on
VLAN 10 would be forced to traverse through Switch 2, then across the link between Switch 2
and Switch 1, just to get to Switch 1 which is the master. It is always important to optimize Layer
2 Paths so that they follow the shortest path to their Layer 3 destination.

7
Best Practice:
Load can be distributed across different VRRP routers, by assigning groups of VLANs to different
routers. When there are 10 different VLANs present, a single Distribution router should not be
assigned to be the Master for all 10 VLANs. Depending upon load, 5 VLANs should be assigned
to Switch1 and 5 VLANs to Switch 2. This will also help failover times, as only half of the end
devices will need to failover.

Partial configurations
The following are sample configurations for Comware and ProVision.

Comware Sample Configurations:


sysname Comware-Switch1
#
vlan 1
#
vlan 10
#
vlan 20
#
stp instance 1 priority 4096
stp instance 2 priority 8192
stp enable
stp region-configuration
region-name Region1
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
#
interface NULL0
#
interface Vlan-interface10
ip address 10.1.1.1 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.1.1
#
interface Vlan-interface20
ip address 20.1.1.2 255.255.255.0
vrrp vrid 20 virtual-ip 20.1.1.1
#
interface GigabitEthernet1/0/1
port link-mode bridge
description Link to Switch2
port link-type trunk
port trunk permit vlan 1 10 20
#
interface GigabitEthernet1/0/2

8
port link-mode bridge
description Link to Switch3
port link-type trunk
port trunk permit vlan 1 10 20
#
interface GigabitEthernet1/0/48
port link-mode bridge
description Link to Switch4
port link-type trunk
port trunk permit vlan 1 10 20

sysname Comware-Switch2

#
vlan 1
#
vlan 10
#
vlan 20
#

#
stp instance 1 priority 8192
stp instance 2 priority 4096
stp enable
stp region-configuration
region-name Region1
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
#

#
interface Vlan-interface10
ip address 10.1.1.2 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.1.1
#
interface Vlan-interface20
ip address 20.1.1.1 255.255.255.0
vrrp vrid 20 virtual-ip 20.1.1.1
#
interface GigabitEthernet2/0/1
port link-mode bridge
description Link to Switch1

9
port link-type trunk
port trunk permit vlan 1 10 20
#
interface GigabitEthernet2/0/2
port link-mode bridge
description Link to Switch4
port link-type trunk
port trunk permit vlan 1 10 20
#

#
interface GigabitEthernet2/0/47
port link-mode bridge
description Link to Switch3
port link-type trunk
port trunk permit vlan 1 10 20
#

sysname Comware-Switch3
vlan 1
vlan 10
vlan 20
stp enable
stp region-configuration
region-name Region1
instance 1 vlan 10
instance 2 vlan 20
active region-configuration
#
#

interface GigabitEthernet1/0/2
port link-type trunk
description Link to Switch1
port trunk permit vlan 1 10 20

#
interface GigabitEthernet1/0/23
port link-type trunk
description Link to Switch2
port trunk permit vlan 1 10 20

sysname Comware-switch4
vlan 1
#
vlan 10

10
#
vlan 20

stp enable
stp region-configuration
region-name Region1
instance 1 vlan 10
instance 2 vlan 20
active region-configuration

interface GigabitEthernet1/0/2
port link-mode bridge
description Link to Switch2
port link-type trunk
port trunk permit vlan 1 10 20

interface GigabitEthernet1/0/24
port link-mode bridge
description Link to Switch1
port link-type trunk
port trunk permit vlan 1 10 20

return

Provision Sample Configurations:


Switch1
hostname "ProVision-Switch1"
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address dhcp-bootp
exit
vlan 10
name "VLAN10"
ip address 10.1.1.1 255.255.255.0
tagged 1-2,23
exit
vlan 20
name "VLAN20"
ip address 20.1.1.2 255.255.255.0
tagged 1-2,23
exit
router vrrp
enable

11
exit
snmp-server community "public" unrestricted
spanning-tree
spanning-tree config-name "Region1"
spanning-tree instance 1 vlan 10
spanning-tree instance 1 priority 1
spanning-tree instance 2 vlan 20
spanning-tree instance 2 priority 2
vlan 10
vrrp vrid 10
owner
virtual-ip-address 10.1.1.1 255.255.255.0
priority 255
enable
exit
exit
vlan 20
vrrp vrid 20
backup
virtual-ip-address 20.1.1.1 255.255.255.0
enable
exit
exit

Switch2
hostname "ProVision-Switch2"
ip routing
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address dhcp-bootp
exit
vlan 10
name "VLAN10"
ip address 10.1.1.2 255.255.255.0
tagged 1-2,23
exit
vlan 20
name "VLAN20"
ip address 20.1.1.1 255.255.255.0
tagged 1-2,23
exit
router vrrp
enable
exit
snmp-server community "public" unrestricted

12
spanning-tree
spanning-tree config-name "Region1"
spanning-tree instance 1 vlan 10
spanning-tree instance 1 priority 2
spanning-tree instance 2 vlan 20
spanning-tree instance 2 priority 1
vlan 10
vrrp vrid 10
backup
virtual-ip-address 10.1.1.1 255.255.255.0
enable
exit
exit
vlan 20
vrrp vrid 20
owner
virtual-ip-address 20.1.1.1 255.255.255.0
priority 255
enable
exit
exit

Switch3

hostname "ProVision-Switch3"
vlan 1
name "DEFAULT_VLAN"
untagged 1-24
ip address dhcp-bootp
exit
vlan 10
name "VLAN10"
tagged 2,23
no ip address
exit
vlan 20
name "VLAN20"
tagged 2,23
no ip address
exit
snmp-server community "public" unrestricted
spanning-tree
spanning-tree config-name "Region1"
spanning-tree instance 1 vlan 10
spanning-tree instance 2 vlan 20

13
Switch4
hostname "Provision-Switch4"
vlan 1
name "DEFAULT_VLAN"
untagged 1-48
ip address dhcp-bootp
exit
vlan 10
name "VLAN10"
tagged 2,23
no ip address
exit
vlan 20
name "VLAN20"
tagged 2,23
no ip address
exit
snmp-server community "public" unrestricted
spanning-tree
spanning-tree config-name "Region1"
spanning-tree instance 1 vlan 10
spanning-tree instance 2 vlan 20

Layer 3 (Routed) Distribution/Access


In this model, STP or meshing is not necessary, since there are no loops in the design. As in the
model above, the Access switches are purely layer2, but the distribution switches are routed, as
shown in Figure 3 and Figure 4.

14
Figure 3 Comware Routed Access

A routing protocol is run on the transit link between distribution routers, however the passive
interface (Comware: silent interface) command is enabled to prevent the routing protocol from
forming adjacencies on the Access Layer VLANs (VLAN 30,40,50,60). Since there is no
downstream routing of traffic below the Access Layer, a routing protocol does not need to be
announced out those VLAN interfaces.

15
Figure 4 ProVision Routed Access

In this model, traditional routers could also be used, since there is no switching in the distribution
layer. This model removes the complexity of spanning tree or meshing, however it is less flexible
in how VLANs are assigned. For example, VLANs that exist on Switch 3 (VLANs 30 and 40)
cannot exist on Switch 4. Each switch must have its own unique set of VLANs. This design also
allows for very quick failover, since STP or meshing do not have to converge before VRRP can
failover.
To protect against edge devices at the Access Layer causing loops, it is recommended to enable
loop protection (Comware: loopback detection). This will prevent rogue devices from disrupting
your network. Even though loop protection is enabled, it is a much simpler protocol than STP or
meshing, and it does not add any time delays to VRRP’s convergence time since it is run at the
edge.

NOTE:
Comware routers support subinterfaces with 802.1q encapsulation. Comware Switches and ProVision
switches do not support subinterfaces with 802.1q encapsulation. To create a “routed interface” on
these platforms, configure a VLAN interface but only assign a single port to the interface.

16
Partial Configurations:

sysname Comware-Switch1
#
vlan 1
vlan 30
vlan 40
vlan 50
vlan 60
interface Vlan-interface30
ip address 10.30.1.1 255.255.255.0
vrrp vrid 30 virtual-ip 10.30.1.1
#
interface Vlan-interface40
ip address 10.40.1.2 255.255.255.0
vrrp vrid 40 virtual-ip 10.40.1.1
#
interface Vlan-interface50
ip address 10.50.1.2 255.255.255.0
vrrp vrid 50 virtual-ip 10.50.1.1
#
interface Vlan-interface60
ip address 10.60.1.1 255.255.255.0
vrrp vrid 60 virtual-ip 10.60.1.1
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 10.9.1.1 255.255.255.0
#
interface GigabitEthernet1/0/48
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 50 60
port trunk pvid vlan 50
#
ospf 1
silent-interface Vlan-interface30
silent-interface Vlan-interface40
silent-interface Vlan-interface50
silent-interface Vlan-interface60
area 0.0.0.0
network 10.0.0.0 0.255.255.255
#
sysname Comware-Switch2
#
vlan 30

17
vlan 40
vlan 50
vlan 60
#
interface Vlan-interface30
ip address 10.30.1.2 255.255.255.0
vrrp vrid 30 virtual-ip 10.30.1.1
#
interface Vlan-interface40
ip address 10.40.1.1 255.255.255.0
vrrp vrid 40 virtual-ip 10.40.1.1
#
interface Vlan-interface50
ip address 10.50.1.1 255.255.255.0
vrrp vrid 50 virtual-ip 10.50.1.1
#
interface Vlan-interface60
ip address 10.60.1.2 255.255.255.0
vrrp vrid 60 virtual-ip 10.60.1.1
#
interface GigabitEthernet2/0/1
port link-mode route
ip address 10.9.1.2 255.255.255.0
#
interface GigabitEthernet2/0/2
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 50 60
port trunk pvid vlan 50
#
interface GigabitEthernet2/0/47
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 30 40
port trunk pvid vlan 30
#
ospf 1
silent-interface Vlan-interface30
silent-interface Vlan-interface40
silent-interface Vlan-interface50
silent-interface Vlan-interface60
area 0.0.0.0
network 10.0.0.0 0.255.255.255

ProVision-Switch1(vlan-50-vrid-50)# show run

18
Running configuration:

; J8692A Configuration Editor; Created on release #K.15.09.0000x


; Ver #03:01.1f.ef:f2
hostname "ProVision-Switch1"
ip routing
router ospf
area backbone
enable
exit
router vrrp
enable
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 1-2,23
untagged 3-22,24
ip address dhcp-bootp
exit
vlan 9
name "VLAN9"
untagged 1
ip address 10.9.1.1 255.255.255.0
ip ospf 10.9.1.1 area backbone
exit
vlan 10
name "VLAN10"
no ip address
exit
vlan 30
name "VLAN30"
untagged 2
ip address 10.30.1.1 255.255.255.0
ip ospf 10.30.1.1 passive
ip ospf 10.30.1.1 area backbone
vrrp vrid 30
owner
virtual-ip-address 10.30.1.1 255.255.255.0
priority 255
enable
exit
exit
vlan 40
name "VLAN40"
tagged 2
ip address 10.40.1.2 255.255.255.0

19
ip ospf 10.40.1.2 passive
ip ospf 10.40.1.2 area backbone
vrrp vrid 40
backup
virtual-ip-address 10.40.1.1 255.255.255.0
enable
exit
exit
vlan 50
name "VLAN50"
untagged 23
ip address 10.50.1.2 255.255.255.0
ip ospf 10.50.1.2 passive
ip ospf 10.50.1.2 area backbone
vrrp vrid 50
backup
virtual-ip-address 10.50.1.1 255.255.255.0
enable
exit
exit
vlan 60
name "VLAN60"
tagged 23
ip address 10.60.1.1 255.255.255.0
ip ospf 10.60.1.1 passive
ip ospf 10.60.1.1 area backbone
vrrp vrid 60
owner
virtual-ip-address 10.60.1.1 255.255.255.0
priority 255
enable
exit
exit

hostname "ProVision-Switch2"
ip routing
router ospf
area backbone
enable
exit
router vrrp
enable
exit
vlan 1
name "DEFAULT_VLAN"
no untagged 1-2,23

20
untagged 3-22,24
ip address dhcp-bootp
exit
vlan 9
name "VLAN9"
untagged 1
ip address 10.9.1.2 255.255.255.0
ip ospf 10.9.1.2 area backbone
exit
vlan 30
name "VLAN30"
untagged 23
ip address 10.30.1.2 255.255.255.0
ip ospf 10.30.1.2 passive
ip ospf 10.30.1.2 area backbone
vrrp vrid 30
backup
virtual-ip-address 10.30.1.1 255.255.255.0
enable
exit
exit
vlan 40
name "VLAN40"
tagged 23
ip address 10.40.1.1 255.255.255.0
ip ospf 10.40.1.1 passive
ip ospf 10.40.1.1 area backbone
vrrp vrid 40
owner
virtual-ip-address 10.40.1.1 255.255.255.0
priority 255
enable
exit
exit
vlan 50
name "VLAN50"
untagged 2
ip address 10.50.1.1 255.255.255.0
ip ospf 10.50.1.1 passive
ip ospf 10.50.1.1 area backbone
vrrp vrid 50
owner
virtual-ip-address 10.50.1.1 255.255.255.0
priority 255
enable
exit

21
exit
vlan 60
name "VLAN60"
tagged 2
ip address 10.60.1.2 255.255.255.0
ip ospf 10.60.1.2 passive
ip ospf 10.60.1.2 area backbone
vrrp vrid 60
backup
virtual-ip-address 10.60.1.1 255.255.255.0
enable
exit
exit

hostname "ProVision-Switch3"
vlan 1
name "DEFAULT_VLAN"
untagged 1,3-22,24
ip address dhcp-bootp
no untagged 2,23
exit
vlan 30
name "VLAN30"
untagged 2,23
ip address 10.30.1.30 255.255.255.0
exit
vlan 40
name "VLAN40"
ip address 10.40.1.30 255.255.255.0
tagged 2,23
exit
loop-protect 1,3-22,24

hostname "ProVision-Switch4"
vlan 1
name "DEFAULT_VLAN"
untagged 1,3-46,48
ip address dhcp-bootp
no untagged 2,47
exit
vlan 50
name "VLAN50"
untagged 2,47
ip address 10.50.1.40 255.255.255.0
exit
vlan 60

22
name "VLAN60"
ip address 10.60.1.40 255.255.255.0
tagged 2,47
exit
loop-protect 1,3-46,48

MESHING
Meshing is a proprietary alternative to spanning tree. The greatest advantage to using meshing
is more efficient utilization of links. When using meshing all links are “active”, unlike spanning
tree where some links are not used at all, as shown in Figure 5. Meshing is only offered on
certain ProVision platforms, and is not compatible with non-HP equipment. Meshing is similar to
a link-state routing protocol in that it can take into account link speed, hop count, and interface
utilization to direct traffic down the most efficient path.
Figure 5 ProVision Meshing Bridged Access

Beginning in software version K15.09.XXXX some ProVision switches now support Concurrent
Meshing and Routing. In previous versions of software, ProVision switches did not support
Meshing and Routing at the same time. Only switches that run K software and have Version 2
modules (such as HP 5400, HP 8200) can support Concurrent Meshing and Routing. Legacy
switches that support Meshing (for example 3400 and 5300) will still not be able to support
Concurrent Meshing and Routing.
For more information about Meshing, see Meshing User Manual.

23
Best Practice: The VRRP preempt delay timer should be set for at least 60 seconds. When a
failover occurs from the Master to the Standby, the mesh is updated immediately to the new
location of the Master router (the previous standby router). Upon failback the mesh will not
learn the location of the new Master (the original Master) for up to 60 seconds. When a switch
goes offline and then comes back online on the mesh, it can take up to 60 seconds for every
device in the mesh to learn about the newly relearned device. When the Master comes back
online, it is treated as new device by the mesh. Failovers can be accommodated by the mesh
in the VRRP 3 second failover window. It can take up to 60 seconds for the mesh to stabilize on
failback. By implementing the preempt delay timer, VRRP will give the mesh enough time to
stabilize before the original VRRP router takes back control.

hostname "ProVision-Switch1"
mesh A1-A2,A23
no allow-v1-modules
ip routing
snmp-server community "public" unrestricted
router vrrp
enable
exit
vlan 1
name "DEFAULT_VLAN"
untagged A3-A22,A24
tagged Mesh
ip address dhcp-bootp
exit
vlan 10
name "VLAN10"
tagged A24,Mesh
ip address 10.1.1.1 255.255.255.0
vrrp vrid 10
owner
virtual-ip-address 10.1.1.1 255.255.255.0
priority 255
preempt-delay-time 60
enable
exit
exit
vlan 20
name "VLAN20"
tagged Mesh
ip address 20.1.1.2 255.255.255.0
vrrp vrid 20
backup
virtual-ip-address 20.1.1.1 255.255.255.0
priority 110
preempt-delay-time 60

24
enable
exit
exit

hostname "ProVision-Switch2"
mesh A1-A2,A23-A24
no allow-v1-modules
ip routing
snmp-server community "public" unrestricted
router vrrp
enable
exit
vlan 1
name "DEFAULT_VLAN"
untagged A3-A22
tagged Mesh
ip address dhcp-bootp
exit
vlan 10
name "VLAN10"
tagged Mesh
ip address 10.1.1.2 255.255.255.0
vrrp vrid 10
backup
virtual-ip-address 10.1.1.1 255.255.255.0
preempt-delay-time 60
enable
exit
exit
vlan 20
name "VLAN20"
tagged Mesh
ip address 20.1.1.1 255.255.255.0
vrrp vrid 20
owner
virtual-ip-address 20.1.1.1 255.255.255.0
priority 255
preempt-delay-time 60
enable
exit
exit

hostname "ProVision-Switch3"
no stack
mesh 2,23

25
vlan 1
name "DEFAULT_VLAN"
untagged 1,3-22,24
ip address dhcp-bootp
tagged Mesh
exit
vlan 10
name "VLAN10"
ip address 10.1.1.13 255.255.255.0
tagged Mesh
exit
vlan 20
name "VLAN20"
tagged Mesh
no ip address
exit

hostname "Provision-Switch4"
no stack
mesh 2,47
vlan 1
name "DEFAULT_VLAN"
untagged 1,3-46,48
ip address dhcp-bootp
tagged Mesh
exit
vlan 10
name "VLAN10"
tagged Mesh
no ip address
exit
vlan 20
name "VLAN20"
tagged Mesh
no ip address
exit

NOTE:
It is not recommended to mix legacy meshing switches (such as, 3400, 5300, and so on) with current
switches running VRRP and meshing. When a VRRP failover occurs it could take up to 90 seconds for
the legacy switches in the mesh to recognize the location of the new VIP.

26
VRRP in Conjunction with a Routing Protocol
VRRP is a first hop router redundancy protocol. It is used at the edge of the network where end
user devices like servers, desktops, and printers reside. Router interfaces that have VRRP enabled
generally do not have routing protocols (like BGP, OSPF, RIP) also simultaneously enabled.
Running a routing protocol on an interface that also has VRRP running is generally discouraged.
If possible, a separate link or VLAN should be configured to avoid this type of design.
Best Practice: In the case where a routing protocol and VRRP must be run on the same interface,
all VRRP routers should be configured as Backup routers. When a router is configured as Owner,
the Owner IP address also becomes the same IP address that other routers form adjacencies with.
When a failover occurs, the new owner address is transferred to the standby and causes the
routing protocol to fail. When all VRRP routers are configured as Backup, routing protocol
adjacencies are only established between the actual physical addresses of the interface and not
the VRRP VIP (Virtual IP Address).
In the configuration below, no VRRP router has been configured as the Owner. In other words,
the VIP is not a physical address on any interface. Consequently, any routing protocol
adjacencies are formed with the actual physical address of the interface and never with the VIP.
The Master has been assigned as Switch 2 by explicitly setting the priorities of both switches.
Sample Config:
Switch 1

interface Vlan-interface20
ip address 20.1.1.2 255.255.255.0
vrrp vrid 20 virtual-ip 20.1.1.1
vrrp vrid 20 priority 110

Switch 2
interface Vlan-interface20
ip address 20.1.1.3 255.255.255.0
vrrp vrid 20 virtual-ip 20.1.1.1
vrrp vrid 20 priority 254

Switch 1
vlan 20
name "VLAN20"
ip address 20.1.1.2 255.255.255.0
tagged 1-2
exit
router vrrp
enable
exit
vlan 20
vrrp vrid 20
backup

27
virtual-ip-address 20.1.1.1 255.255.255.0
priority 110
enable
exit
exit

Switch 2
vlan 20
name "VLAN20"
ip address 20.1.1.3 255.255.255.0
tagged 1,23
exit
router vrrp
enable
exit
vlan 20
vrrp vrid 20
backup
virtual-ip-address 20.1.1.1 255.255.255.0
priority 254
enable
exit
exit

28
2 Troubleshooting

Overview – Basic Troubleshooting


The two most common commands used when troubleshooting VRRP are the “show/display vrrp”
command and the debug commands.

Comware:

[Comware-Switch2-Vlan-interface20]dis vrrp
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
Vlan10 10 Backup 100 1 None 10.1.1.1
Vlan20 20 Master 255 1 None 20.1.1.1

From the output above, this VRRP router is Backup for VRID 10 and is Master for VRID 20. We
also know that it is the Owner for VRID 20 since its priority is 255.

[Comware-Switch2-Vlan-interface20]dis vrrp statistics


Interface : Vlan-interface10
VRID : 10
CheckSum Errors : 0 Version Errors : 0
Invalid Type Pkts Rcvd : 0 Advertisement Interval Errors : 0
IP TTL Errors : 0 Auth Failures : 0
Invalid Auth Type : 0 Auth Type Mismatch : 0
Packet Length Errors : 0 Address List Errors : 0
Become Master : 1 Priority Zero Pkts Rcvd : 0
Adver Rcvd : 44676 Priority Zero Pkts Sent : 0
Adver Sent : 1948

Interface : Vlan-interface20
VRID : 20
CheckSum Errors : 0 Version Errors : 0
Invalid Type Pkts Rcvd : 0 Advertisement Interval Errors : 0
IP TTL Errors : 0 Auth Failures : 0

29
Invalid Auth Type : 0 Auth Type Mismatch : 0
Packet Length Errors : 0 Address List Errors : 0
Become Master : 1 Priority Zero Pkts Rcvd : 0
Adver Rcvd : 0 Priority Zero Pkts Sent : 0
Adver Sent : 565

To determine if a VRRP router is sending or receiving packets, run the “display vrrp statistics”
command repeatedly and watch for the “Adver Rcvd” or “Adver Sent” counter to increment.

Alternatively, consult debug logs:

<Comware-Switch2>debug vrrp packet


*Jul 26 17:42:15:453 2000 Comware-Switch2 VRRP/7/DebugPacket:
Received Advertisement message from 10.1.1.1 on Vlan-interface10.
VRID: 10 Pri: 255 Adver timer: 1 secs

*Jul 26 17:42:15:673 2000 Comware-Switch2 VRRP/7/DebugPacket:


Sent Advertisement message from Vlan-interface20
VRID: 20 Pri: 255 Adver timer: 1 secs

*Jul 26 17:42:16:543 2000 Comware-Switch2 VRRP/7/DebugPacket:


Received Advertisement message from 10.1.1.1 on Vlan-interface10.
VRID: 10 Pri: 255 Adver timer: 1 secs

*Jul 26 17:42:16:767 2000 Comware-Switch2 VRRP/7/DebugPacket:


Sent Advertisement message from Vlan-interface20
VRID: 20 Pri: 255 Adver timer: 1 secs

From the debug logs above, this VRRP router is receiving VRRP advertisements on VRID 10 and is
sending VRRP advertisements on VRID 20.

ProVision:

ProVision-Switch2(vlan-20-vrid-20)# show vrrp

VRRP Global Statistics Information

VRRP Enabled : Yes


Protocol Version : 2
Invalid VRID Pkts Rx : 0
Checksum Error Pkts Rx : 0
Bad Version Pkts Rx : 0
Virtual Routers Respond To Ping Requests : Yes

30
VRRP Virtual Router Statistics Information

Vlan ID : 10
Virtual Router ID : 10
State : Backup
Up Time : 72 mins
Virtual MAC Address : 00005e-00010a
Master's IP Address : 10.1.1.1
Associated IP Addr Count : 1 Near Failovers : 0
Advertise Pkts Rx : 9226439 Become Master : 11
Zero Priority Rx : 5 Zero Priority Tx : 2
Bad Length Pkts : 0 Bad Type Pkts : 0
Mismatched Interval Pkts : 134636 Mismatched Addr List Pkts : 0
Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

VRRP Virtual Router Statistics Information

Vlan ID : 20
Virtual Router ID : 20
State : Master
Up Time : 6 mins
Virtual MAC Address : 00005e-000114
Master's IP Address : 20.1.1.1
Associated IP Addr Count : 1 Near Failovers : 0
Advertise Pkts Rx : 0 Become Master : 1
Zero Priority Rx : 0 Zero Priority Tx : 0
Bad Length Pkts : 0 Bad Type Pkts : 0
Mismatched Interval Pkts : 0 Mismatched Addr List Pkts : 23
Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

From the output above, this VRRP router is in the Backup state for VRID 10 and in the Master State
for VRID 20. To determine if a VRRP is receiving packets watch for the “Advertise Pkts RX” counter
to increment.

ProVision-Switch2(vlan-20-vrid-20)# debug vrrp


ProVision-Switch2(vlan-20-vrid-20)#
0027:00:39:43.81 VRRP eVrrpPSEND:Sending VRRP Packet:
0027:00:39:43.87 VRRP eVrrpPSEND:Version and Pkt type 21, Vrid 20, Priority 255,
IP address count 1
0027:00:39:43.98 VRRP eVrrpPSEND:Auth type 0, Advt interval 1, Checksum cae6
0027:00:39:44.06 VRRP eVrrpPSEND:Pkt IP address 1 = 20.1.1.1

0027:00:39:44.81 VRRP eVrrpPSEND:Sending VRRP Packet:


0027:00:39:44.87 VRRP eVrrpPSEND:Version and Pkt type 21, Vrid 20, Priority 255,
IP address count 1

31
0027:00:39:44.98 VRRP eVrrpPSEND:Auth type 0, Advt interval 1, Checksum cae6
0027:00:39:45.06 VRRP eVrrpPSEND:Pkt IP address 1 = 20.1.1.1

Use debug logging (above) to determine if a VRRP router is sending VRRP advertisements.

32
3 Configuration Issues

VRRP is not enabled globally.

Reason:
On Provision platforms, VRRP is controlled at the global level. By default, VRRP is globally
disabled. This allows a network administrator to completely configure VRRP and then activate
after it is completely configured.

Troubleshoot:
Provision:
ProVision-Switch1(config)# show vrrp

VRRP Global Statistics Information

VRRP Enabled : No

Virtual Routers Respond To Ping Requests : No

Solution:
Activate VRRP globally.

ProVision:
ProVision-Switch1(config)# router vrrp enable

Verify:
ProVision-Switch1(config)# show vrrp

VRRP Global Statistics Information

VRRP Enabled : Yes


Protocol Version : 2
Invalid VRID Pkts Rx : 0
Checksum Error Pkts Rx : 0

33
Bad Version Pkts Rx : 0
Virtual Routers Respond To Ping Requests : No

VRRP Virtual Router Statistics Information

Vlan ID : 10
Virtual Router ID : 10
State : Master
Up Time : 23 hours
Virtual MAC Address : 00005e-00010a
Master's IP Address : 10.1.1.1
Associated IP Addr Count : 1 Near Failovers : 0
Advertise Pkts Rx : 0 Become Master : 1
Zero Priority Rx : 0 Zero Priority Tx : 0
Bad Length Pkts : 0 Bad Type Pkts : 0
Mismatched Interval Pkts : 0 Mismatched Addr List Pkts : 0
Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

VRRP does not appear to be sending VRRP packets.


Comware:
<Comware-Switch1>dis vrrp statistics
Interface : Vlan-interface10
VRID : 10
CheckSum Errors : 0 Version Errors : 0
Invalid Type Pkts Rcvd : 0 Advertisement Interval Errors : 0
IP TTL Errors : 0 Auth Failures : 0
Invalid Auth Type : 0 Auth Type Mismatch : 0
Packet Length Errors : 0 Address List Errors : 0
Become Master : 4 Priority Zero Pkts Rcvd : 0
Adver Rcvd : 0 Priority Zero Pkts Sent : 3
Adver Sent : 1405822

VRRP is not enabled for a VRID. VRID is stuck in


the Initialize state (ProVision)

Reason:
On Provision platforms, VRRP is enabled/disabled at the VRID level. By default, the VRID is
disabled.

34
Troubleshoot:
ProVision-Switch1(vlan-10)# show vrrp

VRRP Global Statistics Information

VRRP Enabled : Yes


Protocol Version : 2
Invalid VRID Pkts Rx : 0
Checksum Error Pkts Rx : 0
Bad Version Pkts Rx : 0
Virtual Routers Respond To Ping Requests : No

VRRP Virtual Router Statistics Information

Vlan ID : 10
Virtual Router ID : 10
State : Initialize
Up Time : 0 secs
Virtual MAC Address : 00005e-00010a
Master's IP Address :
Associated IP Addr Count : 1 Near Failovers : 0
Advertise Pkts Rx : 0 Become Master : 1
Zero Priority Rx : 0 Zero Priority Tx : 1
Bad Length Pkts : 0 Bad Type Pkts : 0
Mismatched Interval Pkts : 0 Mismatched Addr List Pkts : 0
Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

The VRID will be stuck in the Initialize state.

Solution:
Enable VRRP on the VRID.

ProVision-Switch1(vlan-10)# vrrp vrid 10 enable

Verify:
If VRRP has been configured correctly the VRID will transition from Initialize to Standby or Master.

ProVision-Switch1(vlan-10)# show vrrp

VRRP Global Statistics Information

35
VRRP Enabled : Yes
Protocol Version : 2
Invalid VRID Pkts Rx : 0
Checksum Error Pkts Rx : 0
Bad Version Pkts Rx : 0
Virtual Routers Respond To Ping Requests : No

VRRP Virtual Router Statistics Information

Vlan ID : 10
Virtual Router ID : 10
State : Master
Up Time : 24 secs
Virtual MAC Address : 00005e-00010a
Master's IP Address : 10.1.1.1
Associated IP Addr Count : 1 Near Failovers : 0
Advertise Pkts Rx : 0 Become Master : 2
Zero Priority Rx : 0 Zero Priority Tx : 1
Bad Length Pkts : 0 Bad Type Pkts : 0
Mismatched Interval Pkts : 0 Mismatched Addr List Pkts : 0
Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

VRRP is not enabled for a VRID. VRID is stuck in


Initialize state (Comware)

Reason:
On Comware, VRRP has not been configured correctly. VRRP will not begin sending packets until
it is completely (and correctly) configured.

Troubleshoot:
[Comware-Switch1-Vlan-interface10]dis vrrp
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------

36
Vlan10 10 Initialize 100 1 None 10.1.10.1
Vlan20 20 Backup 110 1 None 20.1.1.1

Solution:
On Comware platforms, no consistency check is done to ensure that the Virtual IP that is
configured corresponds to a subnet that physically exists on the interface.

In this example, interface VLAN10 has been configured with an physical IP address of
10.1.1.1/24 and a virtual-ip address of 10.1.10.1.

[Comware-Switch1-Vlan-interface10]dis this
#
interface Vlan-interface10
ip address 10.1.1.1 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.10.1
#
Return

When configuring VRRP, an error was made, however the CLI does not check to make sure that
the physical IP address and Virtual-IP address exist in the same network. Instead, VRRP will sit in
an Initializing state, since it has not been completely and correctly configured. On ProVision
platforms, the CLI will check for consistency of the Virtual-IP and will not let the user configure a
mismatched IP.

When Disabling or Removing VRRP from the


Owner, Duplicate IP Addresses are logged.
When disabling or reconfiguring VRRP on the Owner router, the switch log indicates that a
duplicate IP address is detected, this could cause workstations on the subnet to send traffic to the
wrong default gateway.

Troubleshoot:
Comware:

[Comware-Switch1-Vlan-interface10]vrrp vrid 10 virtual-ip 10.


%Jun 29 17:43:06:880 2000 Comware-Switch1 ARP/5/ARP_DUPIFIP: Duplicate address
10.1.1.1 on interface Vlan-interface10, sourced from 0000-5e00-010a.

37
%Jun 29 17:43:11:881 2000 Comware-Switch1 ARP/5/ARP_DUPIFIP: Duplicate address
10.1.1.1 on interface Vlan-interface10, sourced from 0000-5e00-010a.

Reason: This is correct and expected behavior. When VRRP is disabled or


unconfigured on the Master, the Standby takes ownership of the virtual IP but the
Wwner still has the same IP address configured on a physical interface.

Switch 1

interface Vlan-interface10
ip address 10.1.1.1 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.10.1

Switch 2

interface Vlan-interface10
ip address 10.1.1.2 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.1.1

In the scenario above, if VRRP was disabled or unconfigured on switch 1. Switch 2 would take
ownership of the Virtual IP – 10.1.1.1 and begin responding to arps to this IP address. Switch 1
also owns that IP, as the IP address of its physical interface, and it too will respond to arps on this
IP address. This causes the duplicate IP address messages. When workstations on the
10.1.1.0/24 network arp for 10.1.1.1 it is possible that some of the workstations could learn the
MAC address of the physical interface of VLAN 10 on Switch 1, rather than the MAC address of
the Virtual IP Address. This could cause interruptions in connectivity for those workstations if
further changes are made on Switch 1 (such as rebooting the switch or reconfiguring the switch).

Solution:
Two Methods:
1. Disable the 10.1.1.1 physical address on Switch 1 before disabling VRRP. This can be
done by disabling the interface(s) or the VLAN that the physical address is bound to.
2. Configure VRRP so that no router is the Owner, and that Master is chosen by the Priority.
This is described in the section above titled “VRRP in Conjunction with a Routing Protocol”.
When configured in this way, the Virtual IP never exists as a physical IP address.

NOTE:
This same issue can occur on ProVision platforms, however no logging will occur. ProVision does not
support duplicate IP address detection in this situation.

38
More than one router in a VRRP VRID is claiming
to be Master.
Reason:
The VRRP advertisement interval is not the same among all the routers in the VRID. All routers in
the same VRID must have identical VRRP advertisement intervals.

Troubleshoot:
Observe from show/display commands that both routers are in the Master state. Consult the vent
log and observe error messages regarding mismatched VRRP intervals. Using show/display
commands observe that advertisement intervals are different amongst routers in the VRID.

Comware:
<Comware-Switch1>dis vrrp
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
Vlan10 10 Master 255 60 None 10.1.1.1

<Comware-Switch2>dis vrrp
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
Vlan10 10 Master 100 10 None 10.1.1.1

[Comware-Switch1]dis logbuffer reverse


%Jun 30 22:52:32:098 2000 Comware-Switch1 VRRP/5/VRRP_CONFIG_ERROR: The IPv4
virtual router 10 (configured on Vlan-interface10) detected a VRRP configuration
error: ADVERTISEMENT INTERVAL ERROR.

Provision:

ProVision-Switch1(vlan-10-vrid-10)# show vrrp

39
VRRP Global Statistics Information

VRRP Enabled : Yes


Protocol Version : 2
Invalid VRID Pkts Rx : 0
Checksum Error Pkts Rx : 0
Bad Version Pkts Rx : 0
Virtual Routers Respond To Ping Requests : No

VRRP Virtual Router Statistics Information

Vlan ID : 10
Virtual Router ID : 10
State : Master
Up Time : 30 mins
Virtual MAC Address : 00005e-00010a
Master's IP Address : 10.1.1.1
Associated IP Addr Count : 1 Near Failovers : 0
Advertise Pkts Rx : 0 Become Master : 4
Zero Priority Rx : 0 Zero Priority Tx : 3
Bad Length Pkts : 0 Bad Type Pkts : 0
Mismatched Interval Pkts : 2036 Mismatched Addr List Pkts : 14
Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

ProVision-Switch1(vlan-10-vrid-10)# show vrrp config

VRRP Global Configuration Information

VRRP Enabled : Yes


Traps Enabled : Yes
Virtual Routers Respond To Ping Requests : No
VRRP Nonstop Enabled : No

VRRP Virtual Router Configuration Information

VLAN ID : 10
Virtual Router ID : 10

Administrative Status [Disabled] : Enabled


Mode [Uninitialized] : Owner
Priority [100] : 255
Advertisement Interval [1] : 60

40
Preempt Mode [True] : True
Preempt Delay Time [0] : 0
Respond To Virtual IP Ping Requests [Yes] : Yes
Primary IP Address : Lowest

IP Address Subnet Mask


--------------- ---------------
10.1.1.1 255.255.255.0

ProVision-Switch2# show vrrp

VRRP Global Statistics Information

VRRP Enabled : Yes


Protocol Version : 2
Invalid VRID Pkts Rx : 0
Checksum Error Pkts Rx : 0
Bad Version Pkts Rx : 0
Virtual Routers Respond To Ping Requests : No

VRRP Virtual Router Statistics Information

Vlan ID : 10
Virtual Router ID : 10
State : Master
Up Time : 13 days
Virtual MAC Address : 00005e-00010a
Master's IP Address : 10.1.1.2
Associated IP Addr Count : 1 Near Failovers : 0
Advertise Pkts Rx : 97357 Become Master : 7
Zero Priority Rx : 5 Zero Priority Tx : 0
Bad Length Pkts : 0 Bad Type Pkts : 0
Mismatched Interval Pkts : 31 Mismatched Addr List Pkts : 0
Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

ProVision-Switch2# show vrrp config

VRRP Global Configuration Information

VRRP Enabled : Yes


Traps Enabled : Yes
Virtual Routers Respond To Ping Requests : No
VRRP Nonstop Enabled : No

41
VRRP Virtual Router Configuration Information

VLAN ID : 10
Virtual Router ID : 10

Administrative Status [Disabled] : Enabled


Mode [Uninitialized] : Backup
Priority [100] : 100
Advertisement Interval [1] : 1
Preempt Mode [True] : True
Preempt Delay Time [0] : 0
Respond To Virtual IP Ping Requests [Yes] : Yes
Primary IP Address : Lowest

IP Address Subnet Mask


--------------- ---------------
10.1.1.1 255.255.255.0

ProVision-Switch1(vlan-10-vrid-10)# show log -r


Keys: W=Warning I=Information
M=Major D=Debug E=Error
---- Reverse event Log listing: Events Since Boot ----
W 05/16/12 00:03:04 00780 vrrp: Vrid 10, Vid 10 recd pkt with advt int
mismatch(2602)

Solution:
Correct the mismatched advertisement intervals. Verify using show/display commands that
correct routers are now in the Master and Backup state.

More than one router in a VRRP VRID is claiming


to be Master.
Reason:
VRRP authentication is configured on one of the routers, but not other routers in the VRID.
(Comware only).

Troubleshoot:
First verify that all routers are in the Master state:
42
Comware:

<Comware-Switch1>dis vrrp
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
Vlan10 10 Master 255 1 Simple 10.1.1.1

[Comware-Switch2-Vlan-interface10]dis vrrp
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
Vlan10 10 Master 100 1 None 10.1.1.1

Consult the event log.

%Jul 2 18:21:53:473 2000 Comware-Switch1 VRRP/5/VRRP_AUTH_FAILED: Authentication


failed in IPv4 virtual router 10 (configured on Vlan-interface10): authentication
type mismatch.

Solution:
Ensure that authentication is consistently applied across all routers in the VRID.

More than one router in a VRRP VRID is claiming


to be Master.
Reason:
Different VRRP passwords are configured between routers in the VRID. (Comware only).

43
Troubleshoot:
First verify that all routers are in the Master state:

Comware:

<Comware-Switch1>dis vrrp
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
Vlan10 10 Master 255 1 Simple 10.1.1.1

[Comware-Switch2-Vlan-interface10]dis vrrp
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
Vlan10 10 Master 100 1 Simple 10.1.1.1

Consult the event log .

%Jul 2 20:39:03:951 2000 Comware-Switch1 VRRP/5/VRRP_AUTH_FAILED: Authentication


failed in IPv4 virtual router 10 (configured on Vlan-interface10): failed to
authenticate.

Determine if the same password is configured for all routers in the vrid:
[Comware-Switch1-Vlan-interface10]dis this
#
interface Vlan-interface10
ip address 10.1.1.1 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.1.1
vrrp vrid 10 authentication-mode simple test
#

[Comware-Switch2-Vlan-interface10]dis this
#
interface Vlan-interface10
ip address 10.1.1.2 255.255.255.0
vrrp vrid 10 virtual-ip 10.1.1.1

44
vrrp vrid 10 authentication-mode simple test1
#

Solution:
Ensure that authentication is consistently applied across all routers in the VRID.

More than one router in a VRRP VRID is claiming


to be Master.
Reason:
The layer 2 path between the two routers is down or misconfigured. Since the Backup routers do
not see VRRP packets from the Master, they both declare themselves Master. This can be due to:

• Tagging on ports is inconsistent or misconfigured. For example, Switch 1 has VIP 10.1.1.1
configured on VLAN 10, but Switch 2 has been misconfigured with VIP 10.1.1.1 on VLAN
11. Since the routers do not see VRRP packets on the correct VLAN, they both declare
themselves as Master.
• Bad cabling is preventing communication between the two routers.
• An interface has been disabled.
• A port, switch, module, or cable has failed, causing the two VRRP routers to lose
communication with each other.

Troubleshoot:
Using “show/display” commands and support tools like “ping” to verify that VLANs are
configured correctly and that no layer 1 outages exist.

Solution:
Ensure that VRRP routers are able to communicate with each other.

45
4 Environmental Issues

More than one router in a VRRP VRID is claiming


to be Master. This is occurring intermittently.

Reason:
The CPU of VRRP router is elevated, causing VRRP packets to not be processed or sent in a timely
manner.

Troubleshoot:
Comware:

On routers that should be in Standby look for a high number of transitions into the Master state.

<Comware-Switch2>dis vrrp statistics


Interface : Vlan-interface10
VRID : 10
CheckSum Errors : 0 Version Errors : 0
Invalid Type Pkts Rcvd : 0 Advertisement Interval Errors : 2760
IP TTL Errors : 0 Auth Failures : 3412
Invalid Auth Type : 0 Auth Type Mismatch : 5354
Packet Length Errors : 0 Address List Errors : 0
Become Master : 915 Priority Zero Pkts Rcvd : 4
Adver Rcvd : 2875620 Priority Zero Pkts Sent : 3
Adver Sent : 30379

In the example above this router has become the Master 915 times. If these transitions were
unplanned, this likely indicates that something is causing VRRP packets to not be sent correctly or
to processed incorrectly.

On all routers in the VRRP group, observe CPU utilization.

<Comware-Switch2>dis cpu-usage
Slot 2 CPU usage:
90% in last 5 seconds
80% in last 1 minute

46
75% in last 5 minutes

Slot 2 CPU 1 CPU usage:


0% in last 5 seconds
0% in last 1 minute
0% in last 5 minutes

When a device has high CPU utilization, more than 60%, this device could be causing instability
with VRRP. Potential sources of high CPU usage are Spanning Tree, Meshing, Routing Protocols,
Authentication, and Management. Check these features for abnormal behavior. Check your
Event Log for any reported issues.

ProVision:
On routers that should be in Standby look for a high number of transitions into the Master state.
ProVision-Switch2# show vrrp

VRRP Global Statistics Information

VRRP Enabled : Yes


Protocol Version : 2
Invalid VRID Pkts Rx : 0
Checksum Error Pkts Rx : 0
Bad Version Pkts Rx : 0
Virtual Routers Respond To Ping Requests : No

VRRP Virtual Router Statistics Information

Vlan ID : 10
Virtual Router ID : 10
State : Master
Up Time : 22 days
Virtual MAC Address : 00005e-00010a
Master's IP Address : 10.1.1.2
Associated IP Addr Count : 1 Near Failovers : 2034
Advertise Pkts Rx : 97357 Become Master : 915
Zero Priority Rx : 5 Zero Priority Tx : 0
Bad Length Pkts : 0 Bad Type Pkts : 0
Mismatched Interval Pkts : 13165 Mismatched Addr List Pkts : 0
Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

In the example above, this router has become the Master 915 times. If these transitions were
unplanned, this likely indicates that something is causing VRRP packets to not be sent correctly or
to processed incorrectly.

47
Also helpful is the “Near Failovers” statistic. A “near failover” is one that is within one missed
VRRP advertisement packet of beginning the Master determination process. This statistic tells you
how many times you came to the brink of a failover, but did not failover. It is a very good
indicator of potential problems with VRRP.
On all routers in the VRRP group, observe CPU utilization.

ProVision-Switch2# show cpu

75 percent busy, from 300 sec ago


1 sec ave: 90 percent busy
5 sec ave: 90 percent busy
1 min ave: 80 percent busy

If a device has high CPU utilization, more than 60%, this device could be causing instability with
VRRP. Potential sources of high CPU usage are Spanning Tree, Meshing, Routing Protocols,
Authentication, and Management. Check these features for abnormal behavior. Check your Event
Log for any reported issues.

More than one router in a VRRP VRID is claiming


to be Master. This is occurring intermittently.

Reason:
A port is flapping.

Troubleshoot:
Comware:
On routers that should be in Standby look for a high number of transitions into the Master state.

<Comware-Switch2>dis vrrp statistics


Interface : Vlan-interface10
VRID : 10
CheckSum Errors : 0 Version Errors : 0
Invalid Type Pkts Rcvd : 0 Advertisement Interval Errors : 2760
IP TTL Errors : 0 Auth Failures : 3412
Invalid Auth Type : 0 Auth Type Mismatch : 5354
Packet Length Errors : 0 Address List Errors : 0
Become Master : 915 Priority Zero Pkts Rcvd : 4
Adver Rcvd : 2875620 Priority Zero Pkts Sent : 3
Adver Sent : 30379

48
In the example above, this router has become the Master 915 times. If these transitions were
unplanned, this likely indicates that something is causing VRRP packets to not be sent correctly or
to processed incorrectly.

ProVision:
On routers that should be in Standby look for a high number of transitions into the Master state.
ProVision-Switch2# show vrrp

VRRP Global Statistics Information

VRRP Enabled : Yes


Protocol Version : 2
Invalid VRID Pkts Rx : 0
Checksum Error Pkts Rx : 0
Bad Version Pkts Rx : 0
Virtual Routers Respond To Ping Requests : No

VRRP Virtual Router Statistics Information

Vlan ID : 10
Virtual Router ID : 10
State : Master
Up Time : 22 days
Virtual MAC Address : 00005e-00010a
Master's IP Address : 10.1.1.2
Associated IP Addr Count : 1 Near Failovers : 2034
Advertise Pkts Rx : 97357 Become Master : 915
Zero Priority Rx : 5 Zero Priority Tx : 0
Bad Length Pkts : 0 Bad Type Pkts : 0
Mismatched Interval Pkts : 13165 Mismatched Addr List Pkts : 0
Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

In the example above, this router has become the Master 915 times. If these transitions were
unplanned, this likely indicates that something is causing VRRP packets to not be sent correctly or
to process incorrectly.
Also helpful is the “Near Failovers” statistic. A “near failover” is one that is within one missed
VRRP advertisement packet of beginning the Master determination process. This statistic tells you
how many times you came to the brink of a failover, but did not failover. It is a very good
indicator of potential problems that could impact VRRP.
A likely cause is a flapping port. A flapping port can be caused by bad cabling or failing
hardware. The intermittent connectivity caused by the flapping port can cause VRRP routers to
mistakenly believe that they should become master.

49
A flapping port anywhere in your Layer-2 network (not just your VRRP routers) can cause
connectivity issues. Flapping ports can cause topology notifications in Spanning tree which in turn
can block and unblock ports, causing VRRP packets to be discarded or delayed. On each
switch/router in your Layer-2 network look for evidence of a flapping interface in the event log.

[Comware-Switch1]dis logbuffer reverse


%Jul 10 21:28:15:837 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is UP.
%Jul 10 21:28:05:159 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is DOWN.
%Jul 10 21:27:59:539 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is UP.
%Jul 10 21:27:50:353 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is DOWN.
%Jul 10 21:27:43:426 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is UP.
%Jul 10 21:27:34:128 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is DOWN.
%Jul 10 21:26:59:889 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is UP.
%Jul 10 21:25:21:355 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is DOWN.
%Jul 10 21:25:05:710 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is UP.
%Jul 10 21:24:53:504 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is DOWN.
%Jul 10 21:24:52:725 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is UP.
%Jul 10 21:24:41:785 2000 Comware-Switch1 IFNET/3/LINK_UPDOWN: GigabitEthernet1/0/1
link status is DOWN.

ProVision-Switch1(eth-1)# show log -r


Keys: W=Warning I=Information
M=Major D=Debug E=Error
---- Reverse event Log listing: Events Since Boot ----
I 05/29/12 18:43:35 00076 ports: port 1 is now on-line
I 05/29/12 18:43:26 00077 ports: port 1 is now off-line
I 05/29/12 18:43:25 00076 ports: port 1 is now on-line
I 05/29/12 18:43:17 00077 ports: port 1 is now off-line
I 05/29/12 18:43:14 00076 ports: port 1 is now on-line
I 05/29/12 18:41:52 00077 ports: port 1 is now off-line
I 05/29/12 18:41:41 00076 ports: port 1 is now on-line
I 05/29/12 18:41:34 00077 ports: port 1 is now off-line
I 05/29/12 18:41:33 00076 ports: port 1 is now on-line
I 05/29/12 18:41:15 00077 ports: port 1 is now off-line
I 05/29/12 18:41:14 00076 ports: port 1 is now on-line
I 05/29/12 18:40:56 00077 ports: port 1 is now off-line
I 05/29/12 18:40:55 00076 ports: port 1 is now on-line

50
5 VRRP Behavior

VRRP Backup routers are not sending VRRP


packets.
Even though VRRP appears to be configured correctly only the Master router is sending VRRP
packets, Backup routers are not sending VRRP packets. VRRP appears to be running correctly.

Reason:
This is expected and correct behavior. In VRRP, a Master router is the only router that sends VRRP
advertisement packets. Standby routers listen for the absence of advertisement packets, and then
take over the Master state when 3 advertisement packets are not received.

When a VRRP Backup Router transitions to the


Master state, the VIP cannot be pinged.
(ProVision)

Reason:
This is expected and correct behavior. According to the RFC 3768 (VRRP) when a non-Owner
router becomes the Master it should not respond to ICMP pings directed to the VIP. This allows
network monitoring software to detect a failure of the Owner router. Even though the VIP doesn’t
respond to ping requests it is still able to act as the default gateway and route traffic.

Troubleshoot (Determine that new Master router is up):


Often during a failure of the Owner router, you will want to ensure that the new Master router is
online and routing traffic. Since the new Master router does not respond to pings, you can use
the method below to determine if the new Master is online and responding.

Even though the new Master does not respond to pings, it will respond to arps.

51
On a switch that is directly connected to the new Master router do the following:

1. ProVision-Switch3(config)# clear arp


This will clear all entries from the arp table of the current switch.

2. ProVision-Switch3(config)# ping 10.1.1.1


Request timed out.
As expected, the ping should fail.
3. ProVision-Switch3(config)# show arp

IP ARP table

IP Address MAC Address Type Port


--------------- ----------------- ------- ----
10.1.1.1 00005e-00010a dynamic 23

Even though the new Master router does not respond to pings, it is up and running since it is
responding to arp requests. Verify that the port listed is also the port that connects to the new
Master router. The OUI (Object Unit Identifier – the first 3 octets of a MAC address) of all VRRP
mac addresses is 00005e. If the MAC address of the VIP show above does not start with
00005e, then it is likely that a rogue device has inserted itself and is claiming to be the default
gateway.

Solution:
By default ProVision switches conform to the RFC and non-Owner switches do not respond to
ICMP pings, it is possible to enable this behavior. ProVision switches offer a feature to allow non-
Owner switches to respond to pings when they become master. This command is “router vrrp
virtual-ip-ping”.

NOTE:
Comware allows pinging of a non-owner VIP without any special configuration.

52

You might also like