CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Simplified VRRP error: delta would be too large when backup address is added to VRID

  1. #1
    Join Date
    2016-04-06
    Location
    Germany
    Posts
    57
    Rep Power
    4

    Default Simplified VRRP error: delta would be too large when backup address is added to VRID

    Hi everyone i have a question about a checkpoint sk article. The article sk39123 describes a behaviour of the simplified vrrp configuration and the priority delta.

    Sk39123:
    "Symptoms
    When configuring VRRP using Simplified Mode, IPSO uses the following formula to check if the configured Priority delta is a valid number based on the configured Priority and number of Virtual interfaces participating for each VRID.

    V x D <= P

    V = Number of Virtual IP addresses
    D = Configured Delta
    P = Configured Priority.

    For example, lets say the base priority is 100, our delta is 10 and the number of Virtual IP addresses we have configured for a VRID is 11. Since 11*10 > 100, the error message will appear.

    Solution
    IPSO will automatically suggest an appropriate value to configure for a VRID. In additon, please refer to the above formula when choosing a value for the Priority Delta. "


    The article is written for the IPSO OS. But I have the same issue at my 77.20 gateway when using simple vrrp config with many interfaces participating with the same VRID.

    I didn't find any other article or description of this issue, maybe someone else has a explanation for that. I want to understand the mechanism checkpoint uses. (Maybe the same logic like in IPSO...)

  2. #2
    Join Date
    2016-04-06
    Location
    Germany
    Posts
    57
    Rep Power
    4

    Default Re: Simplified VRRP error: delta would be too large when backup address is added to V

    Hey I found a useful hint to the case.

    I made a few tests and a few calculations and figured out something:

    Priority delta x Number of virtual IPs <= 254

    20 x 11 = 220 :-)
    20 x 12 = 240 :-)
    20 x 13 = 260 :-(

    So in the last example the Gaia Webinterface shows an error and forces you to count down the priority delta to 19 (so that 19x13= 247).

    I think that the calculation is used for something more...can someone explaint that? Maybe VIP Mac calculation or something?

    Greetings dom

  3. #3
    Join Date
    2012-07-19
    Posts
    105
    Rep Power
    8

    Default Re: Simplified VRRP error: delta would be too large when backup address is added to V

    VRRP transmits priorities in it's protocol. Priority is an unsigned 8-bit value, so it can only be a value between 0 and 255.
    The node with the highest priority is active and will broadcast its value to the other members. Once a priority lower than an other members' prio is broadcasted, re-election will take place.

    Check Points VRRP implementation seems to dislike a setup were your priorities can reach less than 0. Thus, when your priority is 20 (Cluster member priority drops by 20 for each interface failing) and you have more than 13 interfaces (= 260 in priority) you can move outside the 0-255 boundary, which isn't possible according to the VRRP RFC. That may be the case because of RFC 5798:

    5.2.4. Priority

    The priority field specifies the sending VRRP router's priority for
    the virtual router. Higher values equal higher priority. This field
    is an 8-bit unsigned integer field.

    The priority value for the VRRP router that owns the IPvX address
    associated with the virtual router MUST be 255 (decimal).

    VRRP routers backing up a virtual router MUST use priority values
    between 1-254 (decimal). The default priority value for VRRP routers
    backing up a virtual router is 100 (decimal).

    The priority value zero (0) has special meaning, indicating that the
    current Master has stopped participating in VRRP. This is used to
    trigger Backup routers to quickly transition to Master without having
    to wait for the current Master to time out.
    As 0 Priority has a special meaning, set ups making it possible to drop below 0 may be rejected.

  4. #4
    Join Date
    2016-04-06
    Location
    Germany
    Posts
    57
    Rep Power
    4

    Default Re: Simplified VRRP error: delta would be too large when backup address is added to V

    Hi Jejerod,

    thank you for the answer, I read the rfc too, but it was not so easy for me to understand. But with your description I get the point!

    Best regards

    Dom

  5. #5
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,146
    Rep Power
    13

    Default Re: Simplified VRRP error: delta would be too large when backup address is added to V

    Ok it is actually pretty simple, the priority delta is the important value here, the priority itself is the value that teels the cluster which member is master, when an interface fails the prio delta is substracted from it's priority.

    Sample:
    10 interfaces, we set a default value of 200 for the master and 195 for the backup and a delta of 10.
    When we have more that 15 interfaces we change the delta to 7 as that will still make sure a failover will happen when an interface fails.

    Why the margin you might ask, well I rather be safe than sorry, to force a failover I don't always know which member has which value and then I am to lazy to switch to the other member to raise the priority there, so I lower the value on the master from 200 to 190. Sometimes it just happens the next time I change the master I change the 195 to 185...

    My advice, make sure you have ampel marginand stay well away fro the calculated numer from interfaces * Prio delta and just below 255 as that is the max priority.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

Similar Threads

  1. Nokia VRRP Cluster error: Get interface operation failed for IP address
    By avilT in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2011-08-29, 22:46
  2. VRRP - Not ping Backup address
    By aolazz in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 5
    Last Post: 2010-05-05, 15:14
  3. Simplified VRRP
    By Testing-123 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 0
    Last Post: 2008-06-15, 11:00
  4. Can't Ping VRRP VRID Address
    By antonyso88 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2006-12-21, 21:14
  5. VRRP Simplified v. VRRP Legacy
    By alienbaby in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2005-11-29, 12:35

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •