★V7 NGFW Redundancy Group Active/Standby Link Switchover Is Abnormal
- 0 Followed
- 0Collected ,956Browsed
Network Topology
The firewall is configured with IRF, and the uplink and downlink devices are connected through the Reth port.
Problem Description
The customer wanted to do the switchover test of the active and standby links, and found that after the active 1/0/4 was unplugged, the traffic could not be switched to 2/0/4 to take the standby link.
After unplugging, the member state forwarding of the Reth port is Inactive
<TLC_QT_FW01>display reth interface Reth 2
Reth2 :
Redundancy group : ha
Member Physical status Forwarding status Presence status
GE1/0/4 DOWN Active Normal
GE2/0/4 UP Inactive Normal
Process Analysis
First check the Reth port and redundancy group configuration:
#
interface Reth1
description TO_CoreSW
member interface Route-Aggregation1 priority 110
member interface Route-Aggregation2 priority 100
#
interface Reth2
member interface GigabitEthernet1/0/4 priority 100
member interface GigabitEthernet2/0/4 priority 50
#
security-zone name Trust
import interface Reth1
import interface Route-Aggregation1
import interface Route-Aggregation2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/4
import interface GigabitEthernet2/0/1
import interface GigabitEthernet2/0/4
import interface Reth2
#
redundancy group ha
member interface Reth1
member interface Reth2
node 1
bind slot 1
priority 255
track 10 reduced 150 interface Route-Aggregation1
track 11 reduced 150 interface GigabitEthernet1/0/4
track 12 reduced 150 interface GigabitEthernet1/0/2
track 13 reduced 150 interface GigabitEthernet1/0/3
node 2
bind slot 2
priority 50
track 20 reduced 150 interface Route-Aggregation2
track 21 reduced 150 interface GigabitEthernet2/0/4
track 22 reduced 150 interface GigabitEthernet2/0/2
track 23 reduced 150 interface GigabitEthernet2/0/3
#
It is found that each track item is configured with reduced 150, which is not configured in typical configuration cases, so check the relevant instructions in the configuration guide:
A redundancy group cooperates with the Track module to monitor link and interface status for automatic switchovers.
A redundancy group node has a weight of 255 (not configurable). Each redundancy group node is associated with one or multiple track entries that have a user-configurable weight decrement rate. When the state of a track entry changes, the weight of the associated node is reduced or increased, as follows:
· When the track entry changes to the NotReady or Negative state, the node weight is reduced by the weight decrement rate of the track entry.
· When the track entry changes to the Positive state, the node weight is increased by the weight decrement rate of the track entry.
When the node weight decreases to 0 or a lower value, a switchover request is triggered.
· Switchover to the low-priority node occurs when the hold-down timer expires.
· Switchover to the high-priority node occurs when the preemption delay timer expires.
Therefore, it is concluded that the cause of the failure is that the default priority of node 1 is 255. When the track item fails, the weight is only reduced by 150, which cannot reach the value of automatic switching, so the active and standby links will not be switched.
Solution
Modify the track item configuration to solve:
#
redundancy group ha
member interface Reth1
member interface Reth2
node 1
bind slot 1
priority 255
track 10 interface Route-Aggregation1 //reduced weight-reduced: Specifies the weight decrement rate in the range of 1 to 255. The default is 255.
track 11 interface GigabitEthernet1/0/4
track 12 interface GigabitEthernet1/0/2
track 13 interface GigabitEthernet1/0/3
node 2
bind slot 2
priority 50
track 20 reduced 150 interface Route-Aggregation2
track 21 reduced 150 interface GigabitEthernet2/0/4
track 22 reduced 150 interface GigabitEthernet2/0/2
track 23 reduced 150 interface GigabitEthernet2/0/3
#