For more details, please see ourCookie Policy.


Application Delivery (ADX)

Reply
Contributor
Posts: 39
Registered: ‎05-04-2009

Problem with asymmetric traffic flow due to VRRP failover

Hi all,

I do have a very simple setup with an upstream VLAN and a downstream VLAN. I do have two ServerIrons and I have tried to configure what is called SSLB (symmetric SLB) in the documentation. This is working fine as long as there is not any problem in the setup like a lost link or so. The setup is looking similar to:

               UPSTREAM SUBNET

                   |                    |

                   | A                 |B

                   |                    |

           ServerIron 1 --- ServerIron 2

                   |                    |

                   |C                  |D

                   |                    |

          DOWNSTREAM SUBNET

ServerIron #1 is master by default and ServerIron #2 backup. There is a dedicated sync-link in between both SIs to synchronize the session table etc.

Problem:

Removing link C is going to result in a failover from ServerIron 1 to ServerIron 2 in the DOWNSTREAM SUBNET but not in the UPSTREAM SUBNET.

Incoming traffic is therefore still going to SI#1 but outgoing traffic (real server replies) is using SI#2 because it is VRRP master in the downstream subnet.

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: Problem with asymmetric traffic flow due to VRRP failover

This is a pretty common problem and I guess I should write some kind of wiki related to HA problems. You need a feature called "tracking" to ensure that ALL VRRP instances do the failover at the same time. Let me assume you do have two VRRP instances only. Links A and B are port 1 of ServerIron 1 and ServerIron 2. Links C and D are port 4 of ServerIron 1 and ServerIron 2.

Your config of the master switch hould look like:

vlan 1

  router-interface ve 1

vlan 4

  untagged eth 4

  router-interface ve 4

router vrrp-extended

interface ve 1

  ip address 192.168.1.2 255.255.255.0

  ip vrrp-e vrid 1

    backup priority 109 track-priority 10

    ip-address 192.168.1.1

    track-port eth 1

    track-port eth 4

interface ve 4

  ip address 192.168.4.2 255.255.255.0

  ip vrrp-e vrid 4

    backup priority 109 track-priority 10

    ip-address 192.168.4.1

    track-port eth 1

    track-port eth 4

The one of the backup switch:

vlan 1

  router-interface ve 1

vlan 4

  untagged eth 4

  router-interface ve 4

router vrrp-extended

interface ve 1

  ip address 192.168.1.3 255.255.255.0

  ip vrrp-e vrid 1

    backup priority 100 track-priority 10

    ip-address 192.168.1.1

    track-port eth 1

    track-port eth 4

interface ve 4

  ip address 192.168.4.3 255.255.255.0

  ip vrrp-e vrid 4

    backup priority 100 track-priority 10

    ip-address 192.168.4.1

    track-port eth 1

    track-port eth 4

The trick is the following: the base priority of the master is 109 and the base priority of the backup is 100. There is a tracking priority (track-priority) of 10 configured. The based priority of a VRRP instance is getting decreased by the track-priority as soon as one of the ports which are getting tracked is going down. The example above is doing tracking for the ports 1 and 4. BOTH VRRP instances are configure to track the frontend and the backend port. Any link problem is going to result in a priority decreased for both VRRP instance and therefore in a failover of both of them.

Is this what you would like to achieve?

Join the Broadcom Community

Get quick and easy access to valuable resources across the Broadcom Community Network.