 | ||
 VRRP -Secondary Firewall flapping | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2008-09-16 | |||
| |||
 VRRP -Secondary Firewall flapping Hi guys, When I check the logs , i see that my secondary firewall in a nokia cluster keeps flapping. There is no error or change of state on the primary firewall. The firewall physical interface contains 4 vlans but only one vlan flaps suggesting it is not the interface that is the problem. Does anyone have a take on this? ----------------------------------------------------------------------------------------------------------------- Aug 29 09:12:18 FW02 [LOG_NOTICE] ipsrd[272]: vrrp_vr_master: interface eth-s1p4c1, VRID 41: state=MASTER Aug 29 09:12:18 FW02 [LOG_NOTICE] snmpd: Trap sent to 10.39.24.22: Version - 2c, Type - Enterprise Specific, VRRP New Master Aug 29 09:12:18 FW02 [LOG_NOTICE] ipsrd[272]: vrrp_recv_advertise: priority override Aug 29 09:12:18 FW02 [LOG_NOTICE] ipsrd[272]: vrrp_vr_backup: interface eth-s1p4c1, VRID 41: state=BACKUP ------------------------------------------------------------------------------------------------------------------  |
| 2008-09-16 | |||
| |||
| Re: VRRP -Secondary Firewall flapping Are you sure the 2 firewalls see each other properly on all vlan's? It sounds like the interface is missing updates from its peer, could be due to Multicasts being dropped. __________________ Regards, Maarten. P1 R62 IPSO SPLAT IOS |
| 2008-09-17 | |||
| |||
| Re: VRRP -Secondary Firewall flapping There are 4 vlans configured on the interface vlans 41, 42, 43, 44 but the logs show just vlan 41...you would expect this from all the vlans if it is an interface problem. It happens like every 30mins. Both firewall interfaces are connected to the same cisco switch. |
| 2008-09-17 | |||
| |||
| Re: VRRP -Secondary Firewall flapping Do you see any errors on the Cisco switch? Duplex mismatches? Spanningtree disabled? __________________ Regards, Maarten. P1 R62 IPSO SPLAT IOS |
| 2008-09-19 | |||
| |||
| Re: VRRP -Secondary Firewall flapping I have seen a couple of incidents of late. If you perform TCPDUMP on the interface (active and standby), you will see the primary firewall isn't sending out multicast VRRP hello for 'n' seconds/intervals. The command is: tcpdump -i <interface> proto vrrp > tcpdump1.out The question to ask is why isn't the multicast being sent out the interface? I don't know and I am looking for the answers myself. Do you have similar symptoms? Last edited by th0i3; 2008-09-19 at 07:10. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
