Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: foundry

Cannot ping VRRP IP when backup active

  

 
nsp foundry RSS feed   Index | Next | Previous | View Threaded


sraymond at acedatacenter

May 14, 2012, 12:26 PM

Post #1 of 11 (1258 views)
Permalink
Cannot ping VRRP IP when backup active
Two routers, MLXe, simple VRRP configuration. The master has my .1 address, and all works fine, If I shutdown the VE interface on the master for testing, in a few seconds routing resumes on the VE interface of my backup router. However, I never can ping the same .1 address while the backup router is active. Re-enable the master VE interface and I can ping .1 again, and of course the hosts are still happy.

Is that expected behavior?

Thanks

! master
interface ve 205
port-name admin-swts
ip address 10.99.99.1/22
disable
ip vrrp vrid 1
version v3
owner
ip-address 10.99.99.1
activate
!

! backup
interface ve 205
port-name admin-swts
ip address 10.99.99.5/22
ip vrrp vrid 1
version v3
backup
ip-address 10.99.99.1
advertise backup
activate
!
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


niels=foundry-nsp at bakker

May 14, 2012, 1:31 PM

Post #2 of 11 (1192 views)
Permalink
Re: Cannot ping VRRP IP when backup active [In reply to]
* sraymond [at] acedatacenter (Steven Raymond) [Mon 14 May 2012, 22:22 CEST]:
>Two routers, MLXe, simple VRRP configuration. The master has my .1
>address, and all works fine, If I shutdown the VE interface on the
>master for testing, in a few seconds routing resumes on the VE
>interface of my backup router. However, I never can ping the same
>.1 address while the backup router is active. Re-enable the master
>VE interface and I can ping .1 again, and of course the hosts are
>still happy.

Add 'ip address 10.99.99.1/22 secondary' to the backup router's ve205
for that.


-- Niels.

--
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


tcsillag at interware

May 14, 2012, 1:39 PM

Post #3 of 11 (1189 views)
Permalink
Re: Cannot ping VRRP IP when backup active [In reply to]
As I know, VRRP does not support icmp echo replies on the virtual IP.
The owner replies because it has a physical interface with the same IP,
however if a backup becomes active, it'll only have the virtual IP, so
it won't answer.
One of the things Brocade always announces about it's VRRP-E is that it
always replies to ping.
Most vendors provide a config statement to enable pinging the virtual
IP, but that's not strictly following the RFC.

Tamas


On 05/14/2012 09:26 PM, Steven Raymond wrote:
> Two routers, MLXe, simple VRRP configuration. The master has my .1 address, and all works fine, If I shutdown the VE interface on the master for testing, in a few seconds routing resumes on the VE interface of my backup router. However, I never can ping the same .1 address while the backup router is active. Re-enable the master VE interface and I can ping .1 again, and of course the hosts are still happy.
>
> Is that expected behavior?
>
> Thanks
>
> ! master
> interface ve 205
> port-name admin-swts
> ip address 10.99.99.1/22
> disable
> ip vrrp vrid 1
> version v3
> owner
> ip-address 10.99.99.1
> activate
> !
>
> ! backup
> interface ve 205
> port-name admin-swts
> ip address 10.99.99.5/22
> ip vrrp vrid 1
> version v3
> backup
> ip-address 10.99.99.1
> advertise backup
> activate
> !
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp [at] puck
> http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


timoid at timoid

May 14, 2012, 1:51 PM

Post #4 of 11 (1187 views)
Permalink
Re: Cannot ping VRRP IP when backup active [In reply to]
Is this a brocadeism to have to use the same IP as the master and floating?

What happens if you set master ip to 10.99.99.2, secondary to 10.99.99.3 and
floating ip to 10.99.99.1? Or is this not valid?

When you fail over to backup, have you tried clearing your ARP cache to see
if that's why you can't ping?

> -----Original Message-----
> From: foundry-nsp-bounces [at] puck [mailto:foundry-nsp-
> bounces [at] puck] On Behalf Of Tamas Csillag
> Sent: Tuesday, 15 May 2012 6:39 AM
> To: Steven Raymond
> Cc: foundry-nsp [at] puck
> Subject: Re: [f-nsp] Cannot ping VRRP IP when backup active
>
> As I know, VRRP does not support icmp echo replies on the virtual IP.
> The owner replies because it has a physical interface with the same IP,
> however if a backup becomes active, it'll only have the virtual IP, so
> it won't answer.
> One of the things Brocade always announces about it's VRRP-E is that it
> always replies to ping.
> Most vendors provide a config statement to enable pinging the virtual
> IP, but that's not strictly following the RFC.
>
> Tamas
>
>
> On 05/14/2012 09:26 PM, Steven Raymond wrote:
> > Two routers, MLXe, simple VRRP configuration. The master has my .1
> address, and all works fine, If I shutdown the VE interface on the master
for
> testing, in a few seconds routing resumes on the VE interface of my backup
> router. However, I never can ping the same .1 address while the backup
> router is active. Re-enable the master VE interface and I can ping .1
again,
> and of course the hosts are still happy.
> >
> > Is that expected behavior?
> >
> > Thanks
> >
> > ! master
> > interface ve 205
> > port-name admin-swts
> > ip address 10.99.99.1/22
> > disable
> > ip vrrp vrid 1
> > version v3
> > owner
> > ip-address 10.99.99.1
> > activate
> > !
> >
> > ! backup
> > interface ve 205
> > port-name admin-swts
> > ip address 10.99.99.5/22
> > ip vrrp vrid 1
> > version v3
> > backup
> > ip-address 10.99.99.1
> > advertise backup
> > activate
> > !
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp [at] puck
> > http://puck.nether.net/mailman/listinfo/foundry-nsp
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp [at] puck
> http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


sraymond at acedatacenter

May 14, 2012, 2:50 PM

Post #5 of 11 (1190 views)
Permalink
Re: Cannot ping VRRP IP when backup active [In reply to]
On May 14, 2012, at 2:51 PM, Tim Warnock wrote:

> Is this a brocadeism to have to use the same IP as the master and floating?

Dunno if it's Brocade's hangup, but yes you must configure the master address and interface IP the same.


> What happens if you set master ip to 10.99.99.2, secondary to 10.99.99.3 and
> floating ip to 10.99.99.1? Or is this not valid?

Not valid, AFAICT.


> When you fail over to backup, have you tried clearing your ARP cache to see
> if that's why you can't ping?

Have not yet checked that, but will look.

Thanks!


sraymond at acedatacenter

May 14, 2012, 2:52 PM

Post #6 of 11 (1192 views)
Permalink
Re: Cannot ping VRRP IP when backup active [In reply to]
On May 14, 2012, at 2:31 PM, Niels Bakker wrote:

> Add 'ip address 10.99.99.1/22 secondary' to the backup router's ve205 for that.
>
>
> -- Niels.

Good suggestion, but they outfoxed me:

telnet [at] route(config-vif-205)#ip address 10.99.99.1 255.255.252.0 secondary
IP/Port: Errno(13) Backup VRRP router already uses this IP address

I am "okay" with the other suggestions that the ping problem is according to RFC standards. Just wonder why that would be considered useful, if indeed required by spec.


Thank you!!


tcsillag at interware

May 14, 2012, 2:55 PM

Post #7 of 11 (1200 views)
Permalink
Re: Cannot ping VRRP IP when backup active [In reply to]
No, it's stated by the RFC, that one router is the 'owner':

IP Address Owner The VRRP router that has the virtual router's
IP address(es) as real interface address(es).
This is the router that, when up, will respond
to packets addressed to one of these IP
addresses for ICMP pings, TCP connections,
etc.

Virtual Router Master The VRRP router that is assuming the
responsibility of forwarding packets sent to
the IP address(es) associated with the virtual
router, and answering ARP requests for these
IP addresses. Note that if the IP address
owner is available, then it will always become
the Master.

Virtual Router Backup The set of VRRP routers available to assume
forwarding responsibility for a virtual router
should the current Master fail.


On 05/14/2012 10:51 PM, Tim Warnock wrote:
> Is this a brocadeism to have to use the same IP as the master and floating?
>
> What happens if you set master ip to 10.99.99.2, secondary to 10.99.99.3 and
> floating ip to 10.99.99.1? Or is this not valid?
>
> When you fail over to backup, have you tried clearing your ARP cache to see
> if that's why you can't ping?
>
>> -----Original Message-----
>> From: foundry-nsp-bounces [at] puck [mailto:foundry-nsp-
>> bounces [at] puck] On Behalf Of Tamas Csillag
>> Sent: Tuesday, 15 May 2012 6:39 AM
>> To: Steven Raymond
>> Cc: foundry-nsp [at] puck
>> Subject: Re: [f-nsp] Cannot ping VRRP IP when backup active
>>
>> As I know, VRRP does not support icmp echo replies on the virtual IP.
>> The owner replies because it has a physical interface with the same IP,
>> however if a backup becomes active, it'll only have the virtual IP, so
>> it won't answer.
>> One of the things Brocade always announces about it's VRRP-E is that it
>> always replies to ping.
>> Most vendors provide a config statement to enable pinging the virtual
>> IP, but that's not strictly following the RFC.
>>
>> Tamas
>>
>>
>> On 05/14/2012 09:26 PM, Steven Raymond wrote:
>>> Two routers, MLXe, simple VRRP configuration. The master has my .1
>> address, and all works fine, If I shutdown the VE interface on the master
> for
>> testing, in a few seconds routing resumes on the VE interface of my backup
>> router. However, I never can ping the same .1 address while the backup
>> router is active. Re-enable the master VE interface and I can ping .1
> again,
>> and of course the hosts are still happy.
>>>
>>> Is that expected behavior?
>>>
>>> Thanks
>>>
>>> ! master
>>> interface ve 205
>>> port-name admin-swts
>>> ip address 10.99.99.1/22
>>> disable
>>> ip vrrp vrid 1
>>> version v3
>>> owner
>>> ip-address 10.99.99.1
>>> activate
>>> !
>>>
>>> ! backup
>>> interface ve 205
>>> port-name admin-swts
>>> ip address 10.99.99.5/22
>>> ip vrrp vrid 1
>>> version v3
>>> backup
>>> ip-address 10.99.99.1
>>> advertise backup
>>> activate
>>> !
>>> _______________________________________________
>>> foundry-nsp mailing list
>>> foundry-nsp [at] puck
>>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp [at] puck
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


hidden at xmission

May 14, 2012, 3:00 PM

Post #8 of 11 (1195 views)
Permalink
Re: Cannot ping VRRP IP when backup active [In reply to]
"What happens if you set master ip to 10.99.99.2, secondary to 10.99.99.3
and floating ip to 10.99.99.1?"

This is called VRRP-E and works great. If that's what you're trying to do,
then use VRRP-E instead of VRRP.

Jared Valentine
hidden [at] xmission



-----Original Message-----
From: foundry-nsp-bounces [at] puck
[mailto:foundry-nsp-bounces [at] puck] On Behalf Of Tim Warnock
Sent: Monday, May 14, 2012 2:51 PM
To: 'Tamas Csillag'; 'Steven Raymond'
Cc: foundry-nsp [at] puck
Subject: Re: [f-nsp] Cannot ping VRRP IP when backup active

Is this a brocadeism to have to use the same IP as the master and floating?

What happens if you set master ip to 10.99.99.2, secondary to 10.99.99.3 and
floating ip to 10.99.99.1? Or is this not valid?

When you fail over to backup, have you tried clearing your ARP cache to see
if that's why you can't ping?

> -----Original Message-----
> From: foundry-nsp-bounces [at] puck [mailto:foundry-nsp-
> bounces [at] puck] On Behalf Of Tamas Csillag
> Sent: Tuesday, 15 May 2012 6:39 AM
> To: Steven Raymond
> Cc: foundry-nsp [at] puck
> Subject: Re: [f-nsp] Cannot ping VRRP IP when backup active
>
> As I know, VRRP does not support icmp echo replies on the virtual IP.
> The owner replies because it has a physical interface with the same
> IP, however if a backup becomes active, it'll only have the virtual
> IP, so it won't answer.
> One of the things Brocade always announces about it's VRRP-E is that
> it always replies to ping.
> Most vendors provide a config statement to enable pinging the virtual
> IP, but that's not strictly following the RFC.
>
> Tamas
>
>
> On 05/14/2012 09:26 PM, Steven Raymond wrote:
> > Two routers, MLXe, simple VRRP configuration. The master has my .1
> address, and all works fine, If I shutdown the VE interface on the
> master
for
> testing, in a few seconds routing resumes on the VE interface of my
> backup router. However, I never can ping the same .1 address while
> the backup router is active. Re-enable the master VE interface and I
> can ping .1
again,
> and of course the hosts are still happy.
> >
> > Is that expected behavior?
> >
> > Thanks
> >
> > ! master
> > interface ve 205
> > port-name admin-swts
> > ip address 10.99.99.1/22
> > disable
> > ip vrrp vrid 1
> > version v3
> > owner
> > ip-address 10.99.99.1
> > activate
> > !
> >
> > ! backup
> > interface ve 205
> > port-name admin-swts
> > ip address 10.99.99.5/22
> > ip vrrp vrid 1
> > version v3
> > backup
> > ip-address 10.99.99.1
> > advertise backup
> > activate
> > !
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp [at] puck
> > http://puck.nether.net/mailman/listinfo/foundry-nsp
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp [at] puck
> http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


tcsillag at interware

May 14, 2012, 3:11 PM

Post #9 of 11 (1201 views)
Permalink
Re: Cannot ping VRRP IP when backup active [In reply to]
Personally, I don't think it's actually useful, but here's an
explanation from the RFC: (I'm not sure I understand it... :)

8.4. Potential Forwarding Loop

A VRRP router SHOULD not forward packets addressed to the IP
Address(es) it becomes Master for if it is not the owner. Forwarding
these packets would result in unnecessary traffic. Also in the case
of LANs that receive packets they transmit (e.g., token ring) this
can result in a forwarding loop that is only terminated when the IP
TTL expires.

One such mechanism for VRRP routers is to add/delete a reject host
route for each adopted IP address when transitioning to/from MASTER
state.


My guess would be that while the basic concept of VRRP is great,
actually it's a pretty simple protocol. So the IETF had to add/change
something, anything, to make it more different from HSRP, and avoid
copyright issues. But that's just me.

Tamas



On 05/14/2012 11:52 PM, Steven Raymond wrote:
>
> On May 14, 2012, at 2:31 PM, Niels Bakker wrote:
>
>> Add 'ip address 10.99.99.1/22 secondary' to the backup router's ve205
>> for that.
>>
>>
>> -- Niels.
>
> Good suggestion, but they outfoxed me:
>
> telnet [at] route(config-vif-205)#ip address 10.99.99.1 255.255.252.0 secondary
> IP/Port: Errno(13) Backup VRRP router already uses this IP address
>
> I am "okay" with the other suggestions that the ping problem is
> according to RFC standards. Just wonder why that would be considered
> useful, if indeed required by spec.
>
>
> Thank you!!
>
>
>
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp [at] puck
> http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


niels=foundry-nsp at bakker

May 14, 2012, 3:50 PM

Post #10 of 11 (1194 views)
Permalink
Re: Cannot ping VRRP IP when backup active [In reply to]
* sraymond [at] acedatacenter (Steven Raymond) [Mon 14 May 2012, 23:53 CEST]:
>On May 14, 2012, at 2:31 PM, Niels Bakker wrote:
>>Add 'ip address 10.99.99.1/22 secondary' to the backup router's
>>ve205 for that.
>
>Good suggestion, but they outfoxed me:
>
>telnet [at] route(config-vif-205)#ip address 10.99.99.1 255.255.252.0 secondary
>IP/Port: Errno(13) Backup VRRP router already uses this IP address

That's the config I have on my XMRs...

Have you tried shutting the ve on the backup, disabling VRRP, adding
the address, enabling VRRP and re-enabling the interface?


>I am "okay" with the other suggestions that the ping problem is
>according to RFC standards. Just wonder why that would be
>considered useful, if indeed required by spec.

Yeah it is, the original RFC specifies that no traffic to the VRRP
address should be accepted at all. Generates lots of support calls of
the "I can't ping my default gateway!" variety, though, so this was
changed for VRRP-E and plenty vendors already ignored it for VRRP
(HSRP also replied to pings).


-- Niels.

--
_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


jith787 at gmail

May 15, 2012, 6:45 AM

Post #11 of 11 (1192 views)
Permalink
Re: Cannot ping VRRP IP when backup active [In reply to]
Hello,

To state in simple words, the router which owns the "Master" state will not
reply for ICMP PING request as it is the nature of the protocol.

We have many number of implementation and it is well proven that the ICMP
PING will not work for VIP owned by standby router.

As many suggested, the VRRP-e will reply for ICMP PING request as it is
Foundry proprietary protocol.

Thanks
-Sujith

On Tue, May 15, 2012 at 4:20 AM, Niels Bakker
<niels=foundry-nsp [at] bakker>wrote:

>
> Have you tried shutting the ve on the backup, disabling VRRP, adding the
> address, enabling VRRP and re-enabling the interface?

nsp foundry RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.