VRRP failover happens when one of the following events takes place:
-a monitored interface looses its link state
-VRRP hello packets from the master not seen on the secondary device
-a critical Checkpoint service or daemon fails to report its status. This requires FW Monitoring to be turned on in Voyager. If turned on, whenever the clock is set backwards, a failover will also occur.
tcpdump -nni eth1 proto VRRP
The packets will contain the vrid and priority.
When a failure occurs, the failed device sends out a priority 0 message on all good interfaces. This tells the secondary to take over.
Example:
PrimaryHA-fw1[admin]# tcpdump -i eth-s1p1c0 proto vrrp
tcpdump: listening on eth-s4p2c0
00:46:11.379961 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]
00:46:12.399982 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]
00:46:13.479985 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]
00:46:14.560007 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 0 [tos 0xc0]
If both firewalls are broadcasting vrrp, and the packets are not seen by the other firewall, there could be a communication problem between the firewalls.
Also ensure that the vrid matches on both firewalls.
Proper VRRP failovers usually only cause 1 or 2 packets lost .
VRRP multicast address is 224.0.0.18
To capture vrrp traffic in fw monitor:
fw monitor -e “accept ip_p = 112;”
Clish
show vrrp
This will show you which devices are in master and backup
Example:
PrimaryFW-A> sh vrrp
VRRP State
Flags: On
6 interface enabled
6 virtual routers configured
0 in Init state
0 in Backup state
6 in Master state
PrimaryFW-A>
PrimaryFW-A> exit
Bye.
PrimaryFW-A[admin]#
SecondaryFW-B[admin]# iclid
SecondaryFW-B> sh vrrp
VRRP State
Flags: On
6 interface enabled
6 virtual routers configured
0 in Init state
4 in Backup state
2 in Master state
SecondaryFW-B>
SecondaryFW-B> exit
show vrrp interfaces
Detailed configuration of VRRP, including priority, hello interval, and VRID
clish -c "show interfacemonitor"
Displays interface transitions
cphaprob -i list
Displays Checkpoint critical processes and their timeouts.
To log critical process failures:
ipsctl -w net:log:partner:status:debug 1
That will log to the console and to /var/log/messages. If you want to turn off:
ipsctl -w net:log:sink:console 0
To change the timeout value of a monitored process:
cphaprob -d [device] -t [timeout] -s [state] -p register
Post a Comment