This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MLAG ISC VRRP asymmetric routing possible

MLAG ISC VRRP asymmetric routing possible

Justin_Metts
New Contributor

‎01-11-2016 06:31 PM

We are having a problem with the ISC between two x460s. VRRP is configured as ACTIVE/STANDBY. Everything looked fine initially during our tests as we only used ICMP. I configured separate "external" switches with IPs I could ping to test MLAG fail over on access switches connected to the two x460 core switches. The test dropped pings as expected and VRRP transitioned properly on failover. MLAG worked as well going to the access switches. Now the problem. TCP and UDP traffic does not establish any kind of connection. We connected the 460s to the internet and were able to ping 8.8.8.8, but cannot telnet to 53 nor http ports. Needless to say, no internet. When I disconnect the ISC between the two 460's, internet works flawlessly. I have no idea why this is and have not opened a ticket yet. I was plugged into the active VRRP switch when I tested, so the traffic shouldn't have been affected by the ISC in the first place. VRRP is balanced on the switches, half ACTIVE and half STANDBY. I figure if I change the configuration to ACTIVE/ACTIVE, then the traffic would flow correctly. I have followed the Extreme guides to configure the ISC and MLAG as well. That is how the switches are configured. Link that is similar to ours. Instead of the server, we have access switches. https://d2r1vs3d9006ap.cloudfront.net/s3_images/1108985/RackMultipart20141015-13973-hmz4ni-L3MLAG.png?1413378047 This image showed the traffic flowing over the ISC and I would not think this would be an issue.
0 Kudos
20 REPLIES 20

Stephane_Grosj1
Extreme Employee
In response to Frank

‎01-12-2016 09:15 AM

100% sure the "standby" FW doesn't act as an "active" one? So traffic doesn't directly go to it when the VRRP failover happens on the x460 (that would explain your sessions issues)?
0 Kudos

Justin_Metts
New Contributor
In response to Frank

‎01-12-2016 09:15 AM

Correct. I did initially forget that part in the beginning of configuring the switches. In order for VRRP to be MASTER/BACKUP, the VLANs have to be tagged across the ISC. That is what I learned since I am new to extreme. I would have thought all traffic would have been synchronized across the ISC link.
0 Kudos

Stephane_Grosj1
Extreme Employee
In response to Frank

‎01-12-2016 09:15 AM

VLAN 3 is also on the ISC, right?
0 Kudos

Justin_Metts
New Contributor
In response to Frank

‎01-12-2016 09:15 AM

The workstation was directly connected to the ACTIVE VRRP x460. ICMP would work to the firewalls and to the internet. Session traffic would not flow with the ISC in place. Once removed, session traffic would flow. Going to find time to mimic the configuration and setup a "server" on the switch and test. I might end up configuring VRRP as ACTIVE/ACTIVE.
0 Kudos

Zdeněk_Pala
Extreme Employee

‎01-11-2016 08:33 PM

Hi,

as far as I remember you must use Active-Active VRRP approach. If the LAG connected switch will send the traffic to backup VRRP router there is noone who will route it...

as far as I remember there is a section in manual regarding this.

regards

Zdenek
Regards Zdeněk Pala
0 Kudos
GTM-P2G8KFN