HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

STP disconnect firewall LAN port

 
pepinpepe
Occasional Advisor

STP disconnect firewall LAN port

Hello,

We have a firewall connected in one HP procurve 2610 switch port
and another to an internal switch procurve HP 2910. In the first switch (2610) we have
connected the router and in 2910 HP the servers and other final client PCs switches (stacked 2610)
Among all the switches is enabled MRSTP.
It's happened a few times a very strange effect is that LAN firewall port (connected to
2910) stops working and the light from port of the internal switch is turned off.
Removing and reconnecting the cable to the switch will fix the problem, which seems rather odd.
The firewall is a Dell PowerEdge Linux Lince and Ethernet Dual Port Broadcom 5720 NetStreme 100 Mbps card.
The logs of HP2910 shows the following sequences of these events repeated several times: - Port X is now off-line - Port X is Blocked by STP - Port X is now on-line -ffi: Port X-Excessive Broadcasts. See help. - Port X is now off-line - Port X is Blocked by STP where X is the LAN port on the firewall, ie the STP blocking port.
I checked cables between switches that the firewall is connected
and there is no physical loop.
On the other hand the situation, using switches commands, is characterized by:
-there is no change of STP topology
-topology changes counter doesn't increase
-STP on the switch blocks LAN firewall port

Software releases are: W.14.03 for 2910 and R.11.25 for 2610. I checked fixes but I
couldn't find any related with MRSTP or Broadcom NICs. Does anybody what's happening?

Best Regards and thanks in advance.
13 REPLIES
DDGRUS
Occasional Advisor

Re: STP disconnect firewall LAN port

Hi there,

have you have setup the spanning tree priorities on all of the switches?

Dom

pepinpepe
Occasional Advisor

Re: STP disconnect firewall LAN port

No,

Priorities are all by default, ie 32768 in all switches. Firewall port is in 2910 tandem switch (I mean there are two witches, one of them is connected to LAN port firewall and the other to serves, they are connected both together) and the other WAN port in 2610 switch where router is connected. The root is one of the switches of the tandem, where the firewall isn't connected. All the switches have the same priority, default priority. The strange question is despite of STP blocks LAN port, you don't see a topology change and the counter isn't increased. On the other hand this problem has happened four times with the same effects.

DDGRUS
Occasional Advisor

Re: STP disconnect firewall LAN port

You should definitly think about setting up the priorities, unless your tandem switches are in a stack, do you manage them both from 1 IP address?

For spanning tree on our switches, we tag the switch which has the primary route with the lower number, for example

There is a site with 3 switches: all switches are connected, switch 1 is connected to both 2+3, switch 2 is connected to both 1+3 and switch 3 is connected to 1+2.

Switch 1: has our Primary Router attached, we give that switch a priority of 0 (CLI code "spanning-tree priority 0")

Switch 2: has our Backup Router attached, this switch is given a priority of 2 (CLI code "spanning-tree priority 2")

Switch 3: no router, this switch is given a priority of 15 (CLI code "spanning-tree priority 15")

 

From what you have said I would suggest the switch with the firewall having a priority of 0.

 

A colleague also suggested that you look into setting a spanning tree edge port, if your switch will let you do this, that would be setup on the interface that connects to the firewall. This will stop it blocking the port in the event of finding a loop, we only set these up on interfaces we know will not get a loop.

 

16again
Respected Contributor

Re: STP disconnect firewall LAN port

Maybe this isn't a STP problem:  STP won't bring down the link when blocking a port.

pepinpepe
Occasional Advisor

Re: STP disconnect firewall LAN port

Hello DDgrus,

Thanks for answering.  tandem switches are in a stack and they are managed them both from 1 IP address.

"A colleague also suggested that you look into setting a spanning tree edge port, if your switch will let you do this, that would be setup on the interface that connects to the firewall. This will stop it blocking the port in the event of finding a loop, we only set these up on interfaces we know will not get a loop."

It is a possibility, but why a loop, there aren't physical cables between them doing lopps.

 

 
 
pepinpepe
Occasional Advisor

Re: STP disconnect firewall LAN port

Hello 16again,

What do you suggest? Any idea that could produce this situation?

16again
Respected Contributor

Re: STP disconnect firewall LAN port

If you manually unplug a port, you'll also end up with "blocked by STP" message, but STP isn't the cause , just the result

Try forcing speed/duplex settings on both sides of trouble link.
Look into error counters on port (on both sides)

pepinpepe
Occasional Advisor

Re: STP disconnect firewall LAN port

Hi 16again,

Any other situation that can show the same STP effects without physical unplugging cables?

With counters, what can you see?. For example in this case for X port blocked by STP

Totals (Since boot or last clear) :

Bytes Rx : 2,948,646,096 Bytes Tx : 1,937,188,467

Unicast Rx : 3,501,949,778 Unicast Tx : 2,725,757,392

Bcast/Mcast Rx : 2,407,356 Bcast/Mcast Tx : 96,320,597

Errors (Since boot or last clear) :

FCS Rx : 1 Drops Tx : 34,918

Alignment Rx : 0 Collisions Tx : 0

Runts Rx : 0 Late Colln Tx : 0

Giants Rx : 0 Excessive Colln : 0

Total Rx Errors : 1 Deferred Tx : 0

Others (Since boot or last clear) :

Discard Rx : 0 Out Queue Len : 0

Unknown Protos : 0

Rates (5 minute weighted average) :

Total Rx (bps) : 0 Total Tx (bps) : 0

Unicast Rx (Pkts/sec) : 0 Unicast Tx (Pkts/sec) : 0

B/Mcast Rx (Pkts/sec) : 0 B/Mcast Tx (Pkts/sec) : 0

Utilization Rx : 0 % Utilization Tx : 0 %

Thanks in advance.

 

16again
Respected Contributor

Re: STP disconnect firewall LAN port

FCS counters look suspicious:
"FCS Rx : 1 Drops Tx : 34,918"

Just try forcing link duplex/speed on both sides, and replace the UTP cable by a brand new CAT6

Richard Litchfield
Respected Contributor

Re: STP disconnect firewall LAN port

This command has to be used very carefully, but it can be very useful at connection points/borders where there are mismatched (or unknown) STP settings coming together. It can cause problems and it almost certainly won't work if you have multiple connections.

On the ProCurve port where the connection is coming in:

spanning-tree 24 bpdu-filter
Vale0
Advisor

Re: STP disconnect firewall LAN port

Perhaps there may be problems due to incorrect setup Ethernet Dual Port Broadcom 5720 NetStreme

pepinpepe
Occasional Advisor

Re: STP disconnect firewall LAN port

Hi Richard,

Thanks for answering. What do you mean by:

"there are mismatched (or unknown) STP settings coming together"

On the other hand

spanning-tree 24 bpdu-filter

Where do you propose to apply, LAN firewall port (2910) or WAN firewall port switch (2610). Firewall works in bridge mode and  it doesn't use STP, I mean, it only forwards BPDUs from one to antoher switch port. If I filter BPDU I will have two different STP trees, one for the border switch (router port and WAN firewall port) and another for the rest of switches (all connected to the firewall LAN by one port of 2910 switch), no?

Best Regards and thanks.

pepinpepe
Occasional Advisor

Re: STP disconnect firewall LAN port

Hi 16again,

So you think it is a problem of speed and cable, no? The strange for me is that the problem had only happened three times (one in 2014, one in 2015 and another in 2016 with the the same effects and logs)  and if the cable or speed adjustment are bad, it shouldn't happen more often?

Thanks again for tour early answer.