HPE Community
Comware Based
1752286 Members
4550 Online
108786 Solutions
New Discussion юеВ

Unable to communicate with vrrp address

 
MarcusSmit
Visitor

тАО03-09-2019 08:08 AM

тАО03-09-2019 08:08 AM

Unable to communicate with vrrp address

Hello,

I am facing a network issue that should be unable to exist to my knowledge. I'll try to explain, hoping someone here will help me understand the problem or even help me fix it.

We have a vlan that connects our external firewall (Fortigate, Active/Standby-setup) to the Cisco routers from our ISP. On the Cisco routers is vrrp and iBGP configured. This setup seems to work just fine except for connections to the Internet that have the vrpp address as it's gateway. The complete setup is somewhat more extensive, but we managed to rule out many components as the cause.

Our conclusion at this point is that the 5940-switch will not forward traffic to the vrrp address, unless.... an SVI is configured WITH an ip-address and a subnet that is just big enough to span the vrrp-address. Use a different subnet on the switch and the connection fails.

Subnet x.x.x.0/26,
.1 firewall
.51 router (active node)
.52 router (standby node)
.62 vrrp

the arp-address is visible on both the switch and in the firewall arp table. This is not the issue.

When we gave the switch an ip-address in this subnet, the connection is restored. When the subnet mask is chanced, the connection is restored - as long as it spans vrrp, with .61/30 being the smallest possible,

My question is simple: why would the switch need an ip-address in this vlan to enable two hosts to communicate? We currently use the .51 as the gateway to the Internet as a workaround. It seems clear that there is nothing wrong with the connection to firewall as well as the router. The switch breaks the communication.

This problem first occurred when we migrated from hsrp to vrrp. (Reconfiguration was required as there appears to be a hsrp ipv6 bug)

Maybe relevant: when we failover to the standby firewall-node AND failover to the standby Cisco router, there seems to be no problem. A display current-configuration all shows no (relevant) differences between the two irf's.

I also checked the Release Notes for the latest firmware-version. I can find no issues, fixed or known that would explain any of this.

Hope someone can help me here :)

Best regards,
Marcus

 

0 Kudos
2 REPLIES 2
MarcusSmit
Visitor

тАО03-19-2019 08:42 AM

тАО03-19-2019 08:42 AM

Re: Unable to communicate with vrrp address

I have some more information:

We now know for sure the the HPE switch drops the traffic to the vrrp address. The mac-address is in the mac-address-table, but traffic is not forwarded. When we set a fixed arp entry in the firewall that matches the vrrp address to the physical mac-address, traffic is forwarded as it should.

The release notes for the latest firmware version does not mention any know issues that could explain this, so we think this is a new bug.

Best regards,

Marcus Smit

0 Kudos
3Naga
Advisor

тАО03-28-2019 01:53 PM

тАО03-28-2019 01:53 PM

Re: Unable to communicate with vrrp address

  1. What is the Current firmware running on the HPE Switch.
  2. Please confirm if the HPE Switch is acting as a L2 or L3 Switch ?
  3. If we need to L3 functionality then it should be configured an SVI connecting firewall?As we can only learn ARP on a Routed interface
  4. Please do a tracert from the switch to the firewall and check the route it takes.Does it go with the default route configured on the switch
  5. If the above is all fine we need to run debug and analyse the configuration/logs on the switch to check the case,for which logging a case with us is recommended as it would need break-fix methodology to handle.

Accept or Kudo
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.