VRRP based failover not working

[dnolan]

I just inherited a pair of Nokia IP 380s running 3.8-BUILD045 setup for high availability with Nokia VRRP. The legacy VRRP configuration is setup on both firewalls. One has a priority of 95 on all interfaces (except the sync interface) and the other has a priority of 100. All monitored interfaces have a priority delta of 10.

Currently the device with the priority of 95 is the master for all 5 virtual router interfaces. The device with the priority of 100 is the backup for all 5 virtual router interfaces. If I reboot, turn off or unplug the device with priority 95, the device with priority 100 does not become the master.

Is there anything I should be looking at to find out why it won’t fail over? Is there a command I can run to try to force the failover? Let me know if there is any more information I can provide to help with the description of the situation.

d

[maurox]

Dnolan,
why didn't you activated VRRP in simplified mode ( is better and easier than legacy)
did you activated Checkpoint software ?
If you have , check on the logs for see if the multicast ( remember that the source is 224.0.0.x and not the other appliance ) packet are dropped.

If you don't , try to see with a tcpdump for see the multicast packet received and generated on all interfaces.....

Regards,
Maurox

[dnolan]

The pair is using legacy VRRP because the previous admin configured it that way. I just took over the administration of this pair. I plan on moving away from the legacy VRRP configuration but I'd like to get the failover figured out first.

I did a tcpdump on all interfaces of both the master and backup firewalls. I can see VRRP advertisements coming from the master on both firewalls. Is there anything else I should check? Any commands to try to force the backup to become the master? Thanks,

d

[maurox]

Normaly the appliance with the higher priority is the master ( and for force the backup to become the master you can increase the priority in all vrid) , but now you are having the nokia with priority of 95 in master.
I think this is the first problem you have to solve , and that you're having some problems in the backup module.

If you want , you can see others information in clish menu ..like "show vrrp interface" or "show vrrp stat" ....
M

[dnolan]

I was looking at the cpha commands and I ran the cphaprob list command on both firewalls. On the master firewall, the output looks like this:

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: OK
Time since last report: 8829.9 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 8819.4 sec

Device Name: cphad
Registration number: 2
Timeout: 5 sec
Current state: OK
Time since last report: 0.4 sec

Device Name: fwd
Registration number: 3
Timeout: 5 sec
Current state: OK
Time since last report: 1.2 sec

On the backup firewall the output looks like this:

Registered Devices:

Device Name: Synchronization
Registration number: 0
Timeout: none
Current state: initializing
Time since last report: 354860 sec

Device Name: Filter
Registration number: 1
Timeout: none
Current state: OK
Time since last report: 3065.7 sec

Device Name: cphad
Registration number: 2
Timeout: 5 sec
Current state: OK
Time since last report: 0.5 sec

Device Name: fwd
Registration number: 3
Timeout: 60 sec
Current state: problem
Time since last report: 351743 sec


The output on the backup stays the same if I do a cphastop and cphastart. Could this have something to do with it? Also, what can I do to resolve the issue?

[maurox]

You're having some problems on the backup module:

Device Name: fwd
Registration number: 3
Timeout: 60 sec
Current state: problem
Time since last report: 351743 sec

the fwd daemon is in "problem" state and the last report to the mgmt was 351743 sec ago....

that modules in in backup state...why don't you try to reconfigure all on that module ?