Wednesday, May 19, 2010

Everything you need to know about troubleshooting VRRP on Nokia Checkpoints

VRRP failover happens when one of the following events takes place:
-a monitored interface looses its link state
-VRRP hello packets from the master not seen on the secondary device
-a critical Checkpoint service or daemon fails to report its status. This requires FW Monitoring to be turned on in Voyager. If turned on, whenever the clock is set backwards, a failover will also occur.


tcpdump -nni eth1 proto VRRP

The packets will contain the vrid and priority.
When a failure occurs, the failed device sends out a priority 0 message on all good interfaces. This tells the secondary to take over.


Example:
PrimaryHA-fw1[admin]# tcpdump -i eth-s1p1c0 proto vrrp
tcpdump: listening on eth-s4p2c0
00:46:11.379961 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]
00:46:12.399982 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]
00:46:13.479985 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 100 [tos 0xc0]
00:46:14.560007 O 192.168.1.1 > 224.0.0.18: VRRPv2-adver 20: vrid 100 pri 0 [tos 0xc0]


If both firewalls are broadcasting vrrp, and the packets are not seen by the other firewall, there could be a communication problem between the firewalls.

Also ensure that the vrid matches on both firewalls.

Proper VRRP failovers usually only cause 1 or 2 packets lost .

VRRP multicast address is 224.0.0.18

To capture vrrp traffic in fw monitor:

fw monitor -e “accept ip_p = 112;”

Clish
show vrrp
This will show you which devices are in master and backup

Example:
PrimaryFW-A> sh vrrp
VRRP State
Flags: On
6 interface enabled
6 virtual routers configured
0 in Init state
0 in Backup state
6 in Master state
PrimaryFW-A>
PrimaryFW-A> exit
Bye.
PrimaryFW-A[admin]#
SecondaryFW-B[admin]# iclid
SecondaryFW-B> sh vrrp
VRRP State
Flags: On
6 interface enabled
6 virtual routers configured
0 in Init state
4 in Backup state
2 in Master state
SecondaryFW-B>
SecondaryFW-B> exit



show vrrp interfaces
Detailed configuration of VRRP, including priority, hello interval, and VRID

clish -c "show interfacemonitor"
Displays interface transitions

cphaprob -i list
Displays Checkpoint critical processes and their timeouts.

To log critical process failures:
ipsctl -w net:log:partner:status:debug 1

That will log to the console and to /var/log/messages. If you want to turn off:
ipsctl -w net:log:sink:console 0

To change the timeout value of a monitored process:
cphaprob -d [device] -t [timeout] -s [state] -p register

No comments: