Assuming your running VRRP in Monitor Circuit
mode with Site1 as the Master and Site2 as Backup: you should have at least 3 IP
addresses externally - the virtual IP address (currently active on Site1 - but
not pingable by default) an external IP address on Site1 and an external IP
address on Site2 - both pingable assuming you CP policy allows.
I would first monitor for the icmp traffic - the
easiest way is to do a tcpdump. This will pickup packets before CP. I don't know
what Nokia box you have, but lets assume its on the eth-s1p1 interface, lets
also assume that there isn't much traffic, from the command line at Site2
firewall issue:
tcpdump -ieth-s1p1
This will report all the traffic coming in/out of
this interface. You should see the VRRP polls - these will have the source IP of
Site1 firewalls external IP address and the destination IP of 224.0.0.18 with an
IP protoID of 118 by default every 1s. You should also see the ICMP Echo Req
coming in.
If you don't see the ICMP Echo Req then I suggest
you verify your routing.
Secondly, to verify the state of your VRRP again
from the command line issues the command:
iclid
This take you into a rudimentary CLI. For a quick
summary of the VRRP status issue:
Sneezy> show vrrp
VRRP State
Flags: On
1
interface enabled
1
virtual routers configured
0 in Init state
0 in Backup state
1 in Master state
Your
box should be in 'Backup state' - if it is not then you have problems. This is
normally an indication that it is not observing the VRRP Hello (the polls every
second) or it is misconfigured.
To
get more information about the state issue the
following Sneezy> sh vrrp interface
VRRP
Interfaces
Interface Internet
Number of virtual routers: 1
Flags: MonitoredCircuitMode
Authentication: NoAuthentication
VRID
2
State:
Master
Time since transition: 12608
BasePriority: 150
Effective Priority: 150
Master transitions: 1
Flags:
Advertisement interval: 1 Router
Dead Interval: 3
VMAC Mode: VRRP
VMAC: 00:00:5e:00:01:02
Primary address:
200.0.0.254
Next advertisement: 1
Number addresses: 1
200.0.0.2
Monitored circuits:
Private (priority 100)
From this you should be able to establish what is
going on...
Type 'quit' to exit the iclid.
Finally, to monitor VRRP transition you can run a
very simple script from the command prompt:
sh
while true
do
echo sh vrrp | iclid
sleep 1
done
Hence if you run this at Site2 firewall and you
block the VRRP Hello protocol, after missing 3 VRRP Hellos Site2 should
transition from Backup to Master.
Regards Derin
|