SRX Services Gateway
SRX Services Gateway

VRRP problem on SRX240H2 - process restart required to clear master/master state

‎07-08-2019 04:58 AM

2 x SRX240H2 running 12.3X48-D75.4 , recently upgraded from 12.1X44-D20.3
Problem existed on previous JunOS versions as well as current.

The SRXs are interconnected via a locally managed inter-site link which presents an untagged interface in a single vlan to both SRXs.
VRRP preempt is enabled , each SRX has a local ip address and share a VRRP address, with different priorities set to determine VRRP master/backup state.

When enabling VRRP on the secondary router it sees the vrrp advertisements from the primary and correctly sets itself to backup state.
VRRP advertisements are being sent from primary and are received on the secondary.
This is the normal working state.

When the priority is reduced on the primary router , the secondary router sees that the primary router priority is now lower than it's own and changes it's state to master.
However, the primary SRX remains in master state so both SRXs are master.
VRRP interface counters on both SRXs show that VRRP advertisements are being sent but the received counter is not incrementing on either SRX.

Running the "restart vrrp gracefully" on the SRX that now has the highest priority fixes the problem as the lower priority SRX is now receiving advertisements and changes it's state to backup.

What does the process restart do that the regular vrrp advertisements don't?

 

4 REPLIES 4
SRX Services Gateway

Re: VRRP problem on SRX240H2 - process restart required to clear master/master state

‎07-08-2019 07:08 AM

Hi allens7,

 

The VRRP advertisements not being received on the interfaces could be the problem here. 

 

Could you please check the configuration on the SRXs to confirm host-inbound traffic for vrrp protocol is permitted? If not, please add them.

 

e.g: set security zones security-zone <zone-name> host-inbound-traffic protocols vrrp

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

Regards,

HS

SRX Services Gateway

Re: VRRP problem on SRX240H2 - process restart required to clear master/master state

‎07-08-2019 02:21 PM

Hi allens7,

 

If the above recommendation doesn't resolve this issue for you. Please share your VRRP related configuration so that I can review and share my thoughts/recommendations.

 

I did a quick test in my lab with SRX240H2 running the same code version (12.3X48-D75) however I don't see the same issue as yours with vrrp enabled in security zone. So this could be an inter-site link issue too if the issue persisted prior to the upgrade too:

 

vrrp-A device:

 

root@vrrp-A> show version
Hostname: vrrp-A
Model: srx240h2
JUNOS Software Release [12.3X48-D75.4]

 

root@vrrp-A> show configuration interfaces ge-0/0/2
unit 0 {
family inet {
address 1.1.1.2/24 {
vrrp-group 1 {
virtual-address 1.1.1.1;
priority 200;
accept-data;
authentication-type md5;
authentication-key "$9$OxaXIhyM87s2alK2aZU.mO1R"; ## SECRET-DATA
}
}
}
}

 

root@vrrp-A# show security zones
security-zone trust {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
protocols {
vrrp;
}
}
}
}
}

 

vrrp-B device:

 

root@vrrp-B> show version
Hostname: vrrp-B
Model: srx240h2
JUNOS Software Release [12.3X48-D75.4]

 

root@vrrp-B> show configuration interfaces ge-0/0/2
unit 0 {
family inet {
address 1.1.1.3/24 {
vrrp-group 1 {
virtual-address 1.1.1.1;
priority 100;
accept-data;
authentication-type md5;
authentication-key "$9$S4plv8-VYZUHX7UHqmF3Sre"; ## SECRET-DATA
}
}
}
}


root@vrrp-B# show security zones
security-zone trust {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
protocols {
vrrp;
}
}
}
}
}

 

VRRP outputs from my lab:

root@vrrp-A> show vrrp brief
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/2.0 up 1 master Active A 0.153 lcl 1.1.1.2
vip 1.1.1.1

 

root@vrrp-A> show vrrp extensive
Interface: ge-0/0/2.0, Interface index :69, Groups: 1, Active :1
Interface VRRP PDU statistics
Advertisement sent :49 <<<<<
Advertisement received :0
Packets received :0
No group match received :0


root@vrrp-B> show vrrp brief
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/2.0 up 1 backup Active D 2.889 lcl 1.1.1.3
vip 1.1.1.1
mas 1.1.1.2


root@vrrp-B> show vrrp extensive
Interface: ge-0/0/2.0, Interface index :72, Groups: 1, Active :1
Interface VRRP PDU statistics
Advertisement sent :0
Advertisement received :49 <<<<
Packets received :49 <<<<
No group match received :0

 

Lowered the priority on vrrp-A from 200 to 1:

 

root@vrrp-A> edit
Entering configuration mode

[edit]

root@vrrp-A# ...family inet address 1.1.1.2/24 vrrp-group 1 priority 1

 

[edit]
root@vrrp-A# show | compare
[edit interfaces ge-0/0/2 unit 0 family inet address 1.1.1.2/24 vrrp-group 1]
- priority 200;
+ priority 1;

 

root@vrrp-A# commit

 

Mastership updated correctly as expected:

 

root@vrrp-A> show vrrp brief
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/2.0 up 1 backup Active D 3.335 lcl 1.1.1.2
vip 1.1.1.1
mas 1.1.1.3

 

root@vrrp-B> show vrrp brief
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/2.0 up 1 master Active A 0.058 lcl 1.1.1.3
vip 1.1.1.1

 

Here is an explaination on how the VRRP counters are expected to work by design:

 

1) When SRX is master for vrrp, you would see only 'Advertisement sent' counter increment constantly.

2) When SRX is backup for vrrp, you would see only 'Advertisement received' counter increment constantly.

3) If both SRXs are showing only 'Advertisement sent' counter increment constantly, then they are probably in master/master state. Which could also mean that advertisements are either not getting delivered to the other SRX (link issue) or being ignored (when vrrp protocol is not enabled for that interface under security zones).

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

Regards,

HS

SRX Services Gateway

Re: VRRP problem on SRX240H2 - process restart required to clear master/master state

‎07-09-2019 01:53 AM

Hi

The SRXs on both sites are allowing all system services & protocols in the relevant security zone so vrrp isn't blocked, and restarting the vrrp process restores the correct master/backup state.

It just seems that the vrrp advertisements from the new master following a priority change are not actually being sent despite the vrrp sent counters incrementing , or never arrive on the other SRX until the process is restarted.

I will ask for the switch configurations on the inter-site link.

 

 

SRX Services Gateway

Re: VRRP problem on SRX240H2 - process restart required to clear master/master state

‎07-11-2019 02:12 PM

Hi allens7,

 

Thanks for this update. From my lab testing as shown above, the VRRP state transitions work as expected when I make a priority change and commit. The only difference between your setup and mine is that, I have the SRXs connected back to back.

 

So it is possible that switch in between might be causing this issue for you as same behavior was seen on another JUNOS version as well.

 

Also collecting VRRP traceoptions on both SRXs might give some idea on whether the advertisements are being sent/received on the SRXs when change is made. Also you could collect them when restarting VRRP to then see the difference in behavior.

 

set protocols vrrp traceoptions file vrrp-trace
set protocols vrrp traceoptions file size 10m
set protocols vrrp traceoptions file files 10
set protocols vrrp traceoptions flag all

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

Regards,

HS