----- Original Message -----
Sent: Friday, September 06, 2002 4:32
AM
Subject: Re: [FW-1] Nokia ip400 VRRP
problems
Assuming your running VRRP in Monitor Circuit
mode with Site1 as the Master and Site2 as Backup: you should have at least 3
IP addresses externally - the virtual IP address (currently active on Site1 -
but not pingable by default) an external IP address on Site1 and an external
IP address on Site2 - both pingable assuming you CP policy
allows.
I would first monitor for the icmp traffic -
the easiest way is to do a tcpdump. This will pickup packets before CP. I
don't know what Nokia box you have, but lets assume its on the eth-s1p1
interface, lets also assume that there isn't much traffic, from the command
line at Site2 firewall issue:
tcpdump -ieth-s1p1
This will report all the traffic coming in/out
of this interface. You should see the VRRP polls - these will have the source
IP of Site1 firewalls external IP address and the destination IP of 224.0.0.18
with an IP protoID of 118 by default every 1s. You should also see the ICMP
Echo Req coming in.
If you don't see the ICMP Echo Req then I
suggest you verify your routing.
Secondly, to verify the state of your VRRP
again from the command line issues the command:
iclid
This take you into a rudimentary CLI. For a
quick summary of the VRRP status issue:
Sneezy> show vrrp
VRRP State
Flags: On
1
interface enabled
1
virtual routers configured
0 in Init state
0 in Backup state
1 in Master state
Your box should be in 'Backup state' - if it is not then you have
problems. This is normally an indication that it is not observing the VRRP
Hello (the polls every second) or it is misconfigured.
To
get more information about the state issue the
following
Sneezy> sh vrrp interface
VRRP Interfaces
Interface Internet
Number of virtual routers: 1
Flags: MonitoredCircuitMode
Authentication: NoAuthentication
VRID 2
State:
Master
Time since transition:
12608
BasePriority:
150
Effective Priority: 150
Master transitions: 1
Flags:
Advertisement interval: 1 Router
Dead Interval: 3
VMAC Mode: VRRP
VMAC: 00:00:5e:00:01:02
Primary address:
200.0.0.254
Next advertisement: 1
Number addresses: 1
200.0.0.2
Monitored circuits:
Private (priority 100)
From this you should be able to establish what
is going on...
Type 'quit' to exit the iclid.
Finally, to monitor VRRP transition you can run
a very simple script from the command prompt:
sh
while true
do
echo sh vrrp | iclid
sleep 1
done
Hence if you run this at Site2 firewall and you
block the VRRP Hello protocol, after missing 3 VRRP Hellos Site2 should
transition from Backup to Master.
Regards Derin
Hello
Got kind of wired one:
*Dual Nokia ip440s, ver 4.1 sp6 setup and
working fine with VRRP
*two web websites, Site 1
xx.x.. Site 2 xx.x.xxx.xx
Both using the same ISP
We host two website and over the past week we
have had to reboot the primary firewall to regain access to site2.
Site2 isn't fully production (simply a redirect to site 1) but users won't
change their *favorites* so the pages stays put! We have always been
able to ping site 1 (Compaq servers) but never site 2 (IBM servers)
The sysadmin on the box swear he isn't
filtering ICMP or doing anything else to prevent pings. In theory if
VRRP was working, traffic to the site should come back as soon as the
primary firewall is rebooted or failed over. This isn't happening, we
have forced traffic to the secondary firewall but access to the site remains
blocked until the primary is back online (finished rebooting)
The firewalls are a mirror image of each other,
what are we missing?
Thanks
**********************************************************************
This
email and any files transmitted with it are confidential and
intended
solely for the use of the individual or entity to whom they
are addressed.
If you have received this email in error please notify
the sender
immediately and then delete from your system.
This footnote also
confirms that this email message has been swept
for the presence of known
computer
viruses.
**********************************************************************