OSPF issue with VRRP slave unit

[irishboyabroad]

Hi,

Ive recently upgraded a standalone Nokia IP560 to a HA pair running VRRP. Both firewalls are running IPSO 4.2 and Checkpoint R62

These firewalls are running OSPF on the inside interface and it is through this interface that the management station connects.

The problem is that the network the management station resides on needs to be learned via OSPF but on a HA pair it appears only the VRRP master has neighbor relationships and consequently only it learns the OSPF routes. Therefore I cannot connect to the secondary VRRP unit from the management station as the route doesnt exist in its routing table.

Although the documentation seems to indicate this is the way OSPF operates on a VRRP cluster this is obviously a serious limitation in its operation and I feel there must be a workaround beside adding a static route. Have I simply made an error in configuring it ?

To configure this Ive setup VRRP separately on both VRRP units and then under the OSPF setup selected the virtual address option to ensure that OSPF updates use the virtual VRRP IP address. The accept connections to VRRP IPs option is also set.

Below is the current ouput of show ospf neighbors and show routes on both units showing the issue.


VRRP master

NokiaIP560:104> show ospf neighbors

Neighbor ID Pri State Dead Address Interface Errors
10.54.0.164 1 FULL/DR 17 10.54.0.164 10.54.0.11 0
10.55.0.254 1 FULL/DR 20 10.55.0.254 10.55.0.5 0<----------------neighbor though which internal networks are learned

NokiaIP560:105> show route
Codes: C - Connected, S - Static, I - IGRP, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

S 0.0.0.0/0 via 87.x.x.x, eth-s1p1c0, cost 0, age 384719
O E 10.1.1/24 via 10.55.0.254, eth-s4p1c0, cost 1:100, age 384661
O E 10.1.2/24 via 10.55.0.254, eth-s4p1c0, cost 1:100, age 384661
O E 10.1.9/24 via 10.55.0.254, eth-s4p1c0, cost 1:100, age 384661
O E 10.1.11/24 via 10.55.0.254, eth-s4p1c0, cost 1:100, age 384661
.....
O E 10.41.4/24 via 10.55.0.254, eth-s4p1c0, cost 1:100, age 384661 <-------------management network


VRRP Slave

NokiaIP560:66> show ospf neighbors <-------------------------------------------------------no neighbor relationships

NokiaIP560:67> show route
Codes: C - Connected, S - Static, I - IGRP, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

S 0.0.0.0/0 via 87.x.x.x, eth-s1p1c0, cost 0, age 394221,<-----------no routes learned via OSPF
C 10.33/16 is directly connected, eth-s4p2c0
C 10.54.1/24 is directly connected, eth-s4p4c0
C 10.54.2/24 is directly connected, eth-s1p3c0
C 10.54/24 is directly connected, eth-s1p2c0
C 10.55/24 is directly connected, eth-s4p1c0
C 10.113/16 is directly connected, eth-s4p3c0
C 87.x.x/24 is directly connected, eth-s1p1c0
C 127.0.0.1/32 is directly connected, loop0c0
C 192.168.100/24 is directly connected, eth-s2p1c0
NokiaIP560:68>

[mcnallym]

From my understanding the OSPF is only sent into the active unit in a VRRP pair. You would need to add a static route for the management server onto both boxes to ensure that management is availble to both boxes no matter which is active.