This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Technical Discussions
- Network Architecture & Design
- MLAG ISC VRRP asymmetric routing possible
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
MLAG ISC VRRP asymmetric routing possible
MLAG ISC VRRP asymmetric routing possible
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-11-2016 06:31 PM
We are having a problem with the ISC between two x460s. VRRP is configured as ACTIVE/STANDBY. Everything looked fine initially during our tests as we only used ICMP. I configured separate "external" switches with IPs I could ping to test MLAG fail over on access switches connected to the two x460 core switches. The test dropped pings as expected and VRRP transitioned properly on failover. MLAG worked as well going to the access switches. Now the problem. TCP and UDP traffic does not establish any kind of connection. We connected the 460s to the internet and were able to ping 8.8.8.8, but cannot telnet to 53 nor http ports. Needless to say, no internet. When I disconnect the ISC between the two 460's, internet works flawlessly. I have no idea why this is and have not opened a ticket yet. I was plugged into the active VRRP switch when I tested, so the traffic shouldn't have been affected by the ISC in the first place. VRRP is balanced on the switches, half ACTIVE and half STANDBY. I figure if I change the configuration to ACTIVE/ACTIVE, then the traffic would flow correctly. I have followed the Extreme guides to configure the ISC and MLAG as well. That is how the switches are configured. Link that is similar to ours. Instead of the server, we have access switches. https://d2r1vs3d9006ap.cloudfront.net/s3_images/1108985/RackMultipart20141015-13973-hmz4ni-L3MLAG.png?1413378047 This image showed the traffic flowing over the ISC and I would not think this would be an issue.
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-11-2016 08:33 PM
I have seen the manuals on how to configure ACTIVE/ACTIVE, but have not seen anything mandating the configuration. I was directly connected to the primary x460 with the workstation. Nothing to send traffic to the backup.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-11-2016 07:22 PM
Hi,
Assuming your config is correct, do you have a FW somewhere that could block the traffic, when it has to switch because of VRRP?
Assuming your config is correct, do you have a FW somewhere that could block the traffic, when it has to switch because of VRRP?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-11-2016 07:22 PM
Yes, DNS is affected. nslookup 8.8.8.8 server timed out on queries. Telnet is TCP, I just don't think about it sometimes.
We did not failover the firewalls. The same firewall was active the whole time. We did not have access to look at the logs. The ingress ports should have remained the same from the primary x460, since we didn't fail over. I even disconnected the second link of the backup 460 to the internet. and still had the problem.
I am going to setup a test tomorrow and get close to the production environment. I will also grab the configs. VLAN20 is tagged, forgot to mention.
We did not failover the firewalls. The same firewall was active the whole time. We did not have access to look at the logs. The ingress ports should have remained the same from the primary x460, since we didn't fail over. I even disconnected the second link of the backup 460 to the internet. and still had the problem.
I am going to setup a test tomorrow and get close to the production environment. I will also grab the configs. VLAN20 is tagged, forgot to mention.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-11-2016 07:22 PM
To be sure: The ISC link also transport the access VLANs (20)? And UDP is really also affected? Because "Telnet to 53" command would also be TCP even when you use an well known DNS Port.. The Firewalls also failover, correct? Are they using MAC masquerading (Virtual MAC) or does they send an GARP (Gratuitous ARP) via Broadcast? And, did you check the Firewall log for maybe state related drops (Due to changing ingress Interfaces after fw-failover? I had a similar sitation a few years ago in another context with Cisco ASA Firewalls. ICMP worked well because it is stateless, but TCP was tracked in the connection table and the connection was mapped to the initial ingress Interface. Cheers, Jan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-11-2016 07:22 PM
Hi Justin,
Is the default gateway (DG) of the Workstation the VIP of the X460s? If so, get the IP of the DG of the X460's and check which port the ARP entries are being programmed on. Use command: "show iproute" to find the DG of the switch and "show iparp " to determine the port where the switch is learning the DG.
Is the default gateway (DG) of the Workstation the VIP of the X460s? If so, get the IP of the DG of the X460's and check which port the ARP entries are being programmed on. Use command: "show iproute" to find the DG of the switch and "show iparp " to determine the port where the switch is learning the DG.
