Everything you need to know about troubleshooting VRRP on Nokia Checkpoints

VRRP failover happens when one of the following events takes place:

-a monitored interface looses its link state

-VRRP hello packets from the master not seen on the secondary device

-a critical Checkpoint service or daemon fails to report its status. This requires FW Monitoring to be turned on in Voyager. If turned on, whenever the clock is set backwards, a failover will also occur.

tcpdump -nni eth1 proto VRRP

The packets will contain the vrid and priority.

When a failure occurs, the failed device sends out a priority 0 message on all good interfaces. This tells the secondary to take over.

Example:

PrimaryHA-fw1[admin]# tcpdump -i eth-s1p1c0 proto vrrp

tcpdump: listening on eth-s4p2c0

00:46:11.379961 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]

00:46:12.399982 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]

00:46:13.479985 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]

00:46:14.560007 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 0 [tos 0xc0]

If both firewalls are broadcasting vrrp, and the packets are not seen by the other firewall, there could be a communication problem between the firewalls.

Also ensure that the vrid matches on both firewalls.

Proper VRRP failovers usually only cause 1 or 2 packets lost .

VRRP multicast address is 224.0.0.18

To capture vrrp traffic in fw monitor:

fw monitor -e “accept ip_p = 112;”

Clish

show vrrp

This will show you which devices are in master and backup

Example:

PrimaryFW-A> sh vrrp

VRRP State

Flags: On

6 interface enabled

6 virtual routers configured

0 in Init state

0 in Backup state

6 in Master state

PrimaryFW-A>

PrimaryFW-A> exit

Bye.

PrimaryFW-A[admin]#

SecondaryFW-B[admin]# iclid

SecondaryFW-B> sh vrrp

VRRP State

Flags: On

6 interface enabled

6 virtual routers configured

0 in Init state

4 in Backup state

2 in Master state

SecondaryFW-B>

SecondaryFW-B> exit

show vrrp interfaces

Detailed configuration of VRRP, including priority, hello interval, and VRID

clish -c "show interfacemonitor"

Displays interface transitions

cphaprob -i list

Displays Checkpoint critical processes and their timeouts.

To log critical process failures:

ipsctl -w net:log:partner:status:debug 1

That will log to the console and to /var/log/messages. If you want to turn off:

ipsctl -w net:log:sink:console 0

To change the timeout value of a monitored process:

cphaprob -d [device] -t [timeout] -s [state] -p register