Aruba & ProVision-based
1748237 Members
3539 Online
108759 Solutions
New Discussion юеВ

Re: STP disconnect firewall LAN port

 
pepinpepe
Occasional Advisor

STP disconnect firewall LAN port

Hello,

We have a firewall connected in one HP procurve 2610 switch port
and another to an internal switch procurve HP 2910. In the first switch (2610) we have
connected the router and in 2910 HP the servers and other final client PCs switches (stacked 2610)
Among all the switches is enabled MRSTP.
It's happened a few times a very strange effect is that LAN firewall port (connected to
2910) stops working and the light from port of the internal switch is turned off.
Removing and reconnecting the cable to the switch will fix the problem, which seems rather odd.
The firewall is a Dell PowerEdge Linux Lince and Ethernet Dual Port Broadcom 5720 NetStreme 100 Mbps card.
The logs of HP2910 shows the following sequences of these events repeated several times: - Port X is now off-line - Port X is Blocked by STP - Port X is now on-line -ffi: Port X-Excessive Broadcasts. See help. - Port X is now off-line - Port X is Blocked by STP where X is the LAN port on the firewall, ie the STP blocking port.
I checked cables between switches that the firewall is connected
and there is no physical loop.
On the other hand the situation, using switches commands, is characterized by:
-there is no change of STP topology
-topology changes counter doesn't increase
-STP on the switch blocks LAN firewall port

Software releases are: W.14.03 for 2910 and R.11.25 for 2610. I checked fixes but I
couldn't find any related with MRSTP or Broadcom NICs. Does anybody what's happening?

Best Regards and thanks in advance.
13 REPLIES 13
DDGRUS
Occasional Advisor

Re: STP disconnect firewall LAN port

Hi there,

have you have setup the spanning tree priorities on all of the switches?

Dom

pepinpepe
Occasional Advisor

Re: STP disconnect firewall LAN port

No,

Priorities are all by default, ie 32768 in all switches. Firewall port is in 2910 tandem switch (I mean there are two witches, one of them is connected to LAN port firewall and the other to serves, they are connected both together) and the other WAN port in 2610 switch where router is connected. The root is one of the switches of the tandem, where the firewall isn't connected. All the switches have the same priority, default priority. The strange question is despite of STP blocks LAN port, you don't see a topology change and the counter isn't increased. On the other hand this problem has happened four times with the same effects.

DDGRUS
Occasional Advisor

Re: STP disconnect firewall LAN port

You should definitly think about setting up the priorities, unless your tandem switches are in a stack, do you manage them both from 1 IP address?

For spanning tree on our switches, we tag the switch which has the primary route with the lower number, for example

There is a site with 3 switches: all switches are connected, switch 1 is connected to both 2+3, switch 2 is connected to both 1+3 and switch 3 is connected to 1+2.

Switch 1: has our Primary Router attached, we give that switch a priority of 0 (CLI code "spanning-tree priority 0")

Switch 2: has our Backup Router attached, this switch is given a priority of 2 (CLI code "spanning-tree priority 2")

Switch 3: no router, this switch is given a priority of 15 (CLI code "spanning-tree priority 15")

 

From what you have said I would suggest the switch with the firewall having a priority of 0.

 

A colleague also suggested that you look into setting a spanning tree edge port, if your switch will let you do this, that would be setup on the interface that connects to the firewall. This will stop it blocking the port in the event of finding a loop, we only set these up on interfaces we know will not get a loop.

 

16again
Respected Contributor

Re: STP disconnect firewall LAN port

Maybe this isn't a STP problem:  STP won't bring down the link when blocking a port.

pepinpepe
Occasional Advisor

Re: STP disconnect firewall LAN port

Hello DDgrus,

Thanks for answering.  tandem switches are in a stack and they are managed them both from 1 IP address.

"A colleague also suggested that you look into setting a spanning tree edge port, if your switch will let you do this, that would be setup on the interface that connects to the firewall. This will stop it blocking the port in the event of finding a loop, we only set these up on interfaces we know will not get a loop."

It is a possibility, but why a loop, there aren't physical cables between them doing lopps.

 

 
 
pepinpepe
Occasional Advisor

Re: STP disconnect firewall LAN port

Hello 16again,

What do you suggest? Any idea that could produce this situation?

16again
Respected Contributor

Re: STP disconnect firewall LAN port

If you manually unplug a port, you'll also end up with "blocked by STP" message, but STP isn't the cause , just the result

Try forcing speed/duplex settings on both sides of trouble link.
Look into error counters on port (on both sides)

pepinpepe
Occasional Advisor

Re: STP disconnect firewall LAN port

Hi 16again,

Any other situation that can show the same STP effects without physical unplugging cables?

With counters, what can you see?. For example in this case for X port blocked by STP

Totals (Since boot or last clear) :

Bytes Rx : 2,948,646,096 Bytes Tx : 1,937,188,467

Unicast Rx : 3,501,949,778 Unicast Tx : 2,725,757,392

Bcast/Mcast Rx : 2,407,356 Bcast/Mcast Tx : 96,320,597

Errors (Since boot or last clear) :

FCS Rx : 1 Drops Tx : 34,918

Alignment Rx : 0 Collisions Tx : 0

Runts Rx : 0 Late Colln Tx : 0

Giants Rx : 0 Excessive Colln : 0

Total Rx Errors : 1 Deferred Tx : 0

Others (Since boot or last clear) :

Discard Rx : 0 Out Queue Len : 0

Unknown Protos : 0

Rates (5 minute weighted average) :

Total Rx (bps) : 0 Total Tx (bps) : 0

Unicast Rx (Pkts/sec) : 0 Unicast Tx (Pkts/sec) : 0

B/Mcast Rx (Pkts/sec) : 0 B/Mcast Tx (Pkts/sec) : 0

Utilization Rx : 0 % Utilization Tx : 0 %

Thanks in advance.

 

16again
Respected Contributor

Re: STP disconnect firewall LAN port

FCS counters look suspicious:
"FCS Rx : 1 Drops Tx : 34,918"

Just try forcing link duplex/speed on both sides, and replace the UTP cable by a brand new CAT6