Hallo,
bei unsere Firewall taucht ab-und-zu (gefühlt nach Config Änderungen bzw. Reboot des VRRP Masters) die LACP MAC des VRRP Standbys statt der VRRP MAC im ARP Cache auf. Das killt leider die Internet Verbindung komplett.
Bei VLAN100 funktioniert die Angelegenheit korrekt, bei VLAN203 nicht.
Darf ich fragen:
1.) kann es sein, dass es Zeitfenster gibt, zu denen das VRRP Setting noch nicht komplett initialisiert und und daher ARPs mit den LACP MAC beantwortet werden?
2.) Sendet LCOS GARPs (das wäre ja eigentlich nicht erforderlich), würde aber der Problem beheben?
Danke
Henri
10.0.203.2 - VRRP Master ISG-5000 für VLAN203
10.0.203.5 - VRRP Standby ISG-4000 für VLAN203
10.0.203.1 - VRRP Address für VLAN203
10.0.100.2 - VRRP Master ISG-5000 für VLAN100
10.0.100.5 - VRRP Standby ISG-4000 für VLAN100
10.0.100.1 - VRRP Address für VLAN100
XGS116_XN01_SFOS 21.5.0 GA-Build171 HA-Primary# arp -an
? (10.0.203.2) at 00:a0:57:72:bc:51 [ether] on Port6.203
? (10.0.100.2) at 00:a0:57:72:bc:51 [ether] on LAG100
? (10.0.203.5) at 40:a0:57:2e:84:e8 [ether] on Port6.203
? (10.0.203.1) at 40:a0:57:2e:84:e8 [ether] on Port6.203
? (10.0.100.1) at 00:00:5e:00:01:64 [ether] on LAG100
? (169.254.192.1) at 7c:5a:1c:97:ad:c8 [ether] on Port3
? (10.0.100.5) at 40:a0:57:2e:84:e8 [ether] on LAG100
ISG-5000/4000 VRRP und ARP - 10.92RU1
Moderator: Lancom-Systems Moderatoren
-
Dr.Einstein
- Beiträge: 3353
- Registriert: 12 Jan 2010, 14:10
Re: ISG-5000/4000 VRRP und ARP - 10.92RU1
Ich hatte mal einen Fall, wo der primäre Lancom-Router sich als Master ausgegeben hatte, wenn man ihn neu startet. Dabei war die hinterlegte Gegenstelle noch nicht aufgebaut. Der Masterzustand blieb grob 1-2 Sekunden. Dadurch fliegt natürlich alles raus. Laut Lancom Support damals Works as Designed.Henri hat geschrieben: 04 Sep 2025, 10:25 1.) kann es sein, dass es Zeitfenster gibt, zu denen das VRRP Setting noch nicht komplett initialisiert und und daher ARPs mit den LACP MAC beantwortet werden?
Klingt für mich nach einem ähnlichen Fall, dass nach einer Neuinitialisierung durch Konfigänderung kurz der VRRP-Prozess "neustartet".
Re: ISG-5000/4000 VRRP und ARP - 10.92RU1
Hallo Dr. Einstein,
danke, ich sollte noch hinzufügen, dass ich so etwas erst ab 10.90 feststellen habe. Ich glaube, da kam VRRP V3 herein.
Mit vielen Grüßen
Henri
danke, ich sollte noch hinzufügen, dass ich so etwas erst ab 10.90 feststellen habe. Ich glaube, da kam VRRP V3 herein.
Mit vielen Grüßen
Henri
Re: ISG-5000/4000 VRRP und ARP - 10.92RU1
Das passiert beim Reboot des VRRP Master und landet dann auch im ARP Cache. Das Paket kommt vom VRRP Standby währen der VRRP Master gebootet wird.
Frame 5097: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: GW2 (40:a0:57:2e:84:e8), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 203
Address Resolution Protocol (ARP Announcement)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
[Is gratuitous: True]
[Is announcement: True]
Sender MAC address: GW2 (40:a0:57:2e:84:e8)
Sender IP address: GW2 (10.0.203.1)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: GW2 (10.0.203.1)
[Duplicate IP address detected for 10.0.203.1 (40:a0:57:2e:84:e8) - also in use by 00:00:5e:00:01:cb (frame 4965)]
[Frame showing earlier use of IP address: 4965]
[Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.203.1)]
[Duplicate IP address configured (10.0.203.1)]
[Severity level: Warning]
[Group: Sequence]
[Seconds since earlier frame seen: 8]
XGS116_XN01_SFOS 21.5.0 GA-Build171 HA-Primary# arp -an
? (10.0.203.2) at 00:a0:57:72:bc:51 [ether] on Port6.203
? (10.0.203.5) at 40:a0:57:2e:84:e8 [ether] on Port6.203
? (10.0.203.1) at 40:a0:57:2e:84:e8 [ether] on Port6.203
Frame 5097: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: GW2 (40:a0:57:2e:84:e8), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 203
Address Resolution Protocol (ARP Announcement)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
[Is gratuitous: True]
[Is announcement: True]
Sender MAC address: GW2 (40:a0:57:2e:84:e8)
Sender IP address: GW2 (10.0.203.1)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: GW2 (10.0.203.1)
[Duplicate IP address detected for 10.0.203.1 (40:a0:57:2e:84:e8) - also in use by 00:00:5e:00:01:cb (frame 4965)]
[Frame showing earlier use of IP address: 4965]
[Expert Info (Warning/Sequence): Duplicate IP address configured (10.0.203.1)]
[Duplicate IP address configured (10.0.203.1)]
[Severity level: Warning]
[Group: Sequence]
[Seconds since earlier frame seen: 8]
XGS116_XN01_SFOS 21.5.0 GA-Build171 HA-Primary# arp -an
? (10.0.203.2) at 00:a0:57:72:bc:51 [ether] on Port6.203
? (10.0.203.5) at 40:a0:57:2e:84:e8 [ether] on Port6.203
? (10.0.203.1) at 40:a0:57:2e:84:e8 [ether] on Port6.203
Re: ISG-5000/4000 VRRP und ARP - 10.92RU1
[VRRP-Packet] 2025/09/07 11:37:58,553 Devicetime: 2025/09/07 11:37:58,966 VR [IPv4,VLAN203_FWEXT,203]: Processing VRRPv2-advertisement from 10.0.203.2 (master), prio=200, interval=1000ms.
[ARP] 2025/09/07 11:38:02,241 Devicetime: 2025/09/07 11:38:02,640
Send ARP broadcast request via interface VLAN203_FWEXT
Address Resolution Protocol request (1)
Hardware type: 1, Protocol type: 800
Hardware size: 6, Protocol size: 4
Sender hardware address: USC_00:01:cb (00:00:5e:00:01:cb)
Sender IP address: 10.0.203.1
Target hardware address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 10.0.203.1
[ARP] 2025/09/07 11:38:02,241 Devicetime: 2025/09/07 11:38:02,640
Send ARP broadcast request via interface VLAN203_FWEXT
Address Resolution Protocol request (1)
Hardware type: 1, Protocol type: 800
Hardware size: 6, Protocol size: 4
Sender hardware address: USC_00:01:cb (00:00:5e:00:01:cb)
Sender IP address: 10.0.203.1
Target hardware address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 10.0.203.1
[ARP] 2025/09/07 11:38:06,288 Devicetime: 2025/09/07 11:38:06,647
ARP : LAN-TX (BRG-1, VLAN203_FWEXT): ARP REQ for 10.0.203.8
[ARP] 2025/09/07 11:38:06,288 Devicetime: 2025/09/07 11:38:06,650
ARP RX (BUNDLE-1, VLAN203_FWEXT): ARP-RESP
SrcIp=10.0.203.8 @ c8:4f:86:fc:00:06 (c8:4f:86:fc:00:06)
DstIp=10.0.203.5 @ 40:a0:57:2e:84:e8 (40:a0:57:2e:84:e8)
[ARP] 2025/09/07 11:38:06,288 Devicetime: 2025/09/07 11:38:06,650
ARP RX (BUNDLE-1, VLAN203_FWEXT): ARP-RESP
SrcIp=10.0.203.8 @ c8:4f:86:fc:00:06 (c8:4f:86:fc:00:06)
DstIp=10.0.203.5 @ 40:a0:57:2e:84:e8 (40:a0:57:2e:84:e8)
[ARP] 2025/09/07 11:38:02,241 Devicetime: 2025/09/07 11:38:02,640
Send ARP broadcast request via interface VLAN203_FWEXT
Address Resolution Protocol request (1)
Hardware type: 1, Protocol type: 800
Hardware size: 6, Protocol size: 4
Sender hardware address: USC_00:01:cb (00:00:5e:00:01:cb)
Sender IP address: 10.0.203.1
Target hardware address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 10.0.203.1
[ARP] 2025/09/07 11:38:02,241 Devicetime: 2025/09/07 11:38:02,640
Send ARP broadcast request via interface VLAN203_FWEXT
Address Resolution Protocol request (1)
Hardware type: 1, Protocol type: 800
Hardware size: 6, Protocol size: 4
Sender hardware address: USC_00:01:cb (00:00:5e:00:01:cb)
Sender IP address: 10.0.203.1
Target hardware address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 10.0.203.1
[ARP] 2025/09/07 11:38:06,288 Devicetime: 2025/09/07 11:38:06,647
ARP : LAN-TX (BRG-1, VLAN203_FWEXT): ARP REQ for 10.0.203.8
[ARP] 2025/09/07 11:38:06,288 Devicetime: 2025/09/07 11:38:06,650
ARP RX (BUNDLE-1, VLAN203_FWEXT): ARP-RESP
SrcIp=10.0.203.8 @ c8:4f:86:fc:00:06 (c8:4f:86:fc:00:06)
DstIp=10.0.203.5 @ 40:a0:57:2e:84:e8 (40:a0:57:2e:84:e8)
[ARP] 2025/09/07 11:38:06,288 Devicetime: 2025/09/07 11:38:06,650
ARP RX (BUNDLE-1, VLAN203_FWEXT): ARP-RESP
SrcIp=10.0.203.8 @ c8:4f:86:fc:00:06 (c8:4f:86:fc:00:06)
DstIp=10.0.203.5 @ 40:a0:57:2e:84:e8 (40:a0:57:2e:84:e8)