Application Delivery (ADX)

Reply
Contributor
Posts: 39
Registered: ‎05-04-2009

Problem with asymmetric traffic flow due to VRRP failover

Hi all,

I do have a very simple setup with an upstream VLAN and a downstream VLAN. I do have two ServerIrons and I have tried to configure what is called SSLB (symmetric SLB) in the documentation. This is working fine as long as there is not any problem in the setup like a lost link or so. The setup is looking similar to:

               UPSTREAM SUBNET

                   |                    |

                   | A                 |B

                   |                    |

           ServerIron 1 --- ServerIron 2

                   |                    |

                   |C                  |D

                   |                    |

          DOWNSTREAM SUBNET

ServerIron #1 is master by default and ServerIron #2 backup. There is a dedicated sync-link in between both SIs to synchronize the session table etc.

Problem:

Removing link C is going to result in a failover from ServerIron 1 to ServerIron 2 in the DOWNSTREAM SUBNET but not in the UPSTREAM SUBNET.

Incoming traffic is therefore still going to SI#1 but outgoing traffic (real server replies) is using SI#2 because it is VRRP master in the downstream subnet.

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: Problem with asymmetric traffic flow due to VRRP failover

This is a pretty common problem and I guess I should write some kind of wiki related to HA problems. You need a feature called "tracking" to ensure that ALL VRRP instances do the failover at the same time. Let me assume you do have two VRRP instances only. Links A and B are port 1 of ServerIron 1 and ServerIron 2. Links C and D are port 4 of ServerIron 1 and ServerIron 2.

Your config of the master switch hould look like:

vlan 1

  router-interface ve 1

vlan 4

  untagged eth 4

  router-interface ve 4

router vrrp-extended

interface ve 1

  ip address 192.168.1.2 255.255.255.0

  ip vrrp-e vrid 1

    backup priority 109 track-priority 10

    ip-address 192.168.1.1

    track-port eth 1

    track-port eth 4

interface ve 4

  ip address 192.168.4.2 255.255.255.0

  ip vrrp-e vrid 4

    backup priority 109 track-priority 10

    ip-address 192.168.4.1

    track-port eth 1

    track-port eth 4

The one of the backup switch:

vlan 1

  router-interface ve 1

vlan 4

  untagged eth 4

  router-interface ve 4

router vrrp-extended

interface ve 1

  ip address 192.168.1.3 255.255.255.0

  ip vrrp-e vrid 1

    backup priority 100 track-priority 10

    ip-address 192.168.1.1

    track-port eth 1

    track-port eth 4

interface ve 4

  ip address 192.168.4.3 255.255.255.0

  ip vrrp-e vrid 4

    backup priority 100 track-priority 10

    ip-address 192.168.4.1

    track-port eth 1

    track-port eth 4

The trick is the following: the base priority of the master is 109 and the base priority of the backup is 100. There is a tracking priority (track-priority) of 10 configured. The based priority of a VRRP instance is getting decreased by the track-priority as soon as one of the ports which are getting tracked is going down. The example above is doing tracking for the ports 1 and 4. BOTH VRRP instances are configure to track the frontend and the backend port. Any link problem is going to result in a priority decreased for both VRRP instance and therefore in a failover of both of them.

Is this what you would like to achieve?

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.