Use of backup-stay-up parameter in VRRP configuration
Article ID: 167862
Updated On:
Products
XOS
Issue/Introduction
Use backup-stay-up only when there are no IP addresses defined at circuit level.
- Various network connectivity issues, increased packet loss or performance degradation
- Neighbor devices receive ARP responses for VRRP address from backup chassis
- VRRP configuration includes the option backup-stay-up
- IP addresses are configured both at circuit and VRRP level
Cause
With backup-stay-up, the VRRP addresses are active on both master and backup chassis. This option is typically used with Check Point VSX application. The purpose of this option is to keep entries related to the associated circuit in the routing table regardless of VRRP status. This allows for a fast re-convergence time upon VRRP failover.
This option is supposed to be used only when all IP addresses for the associated circuit are defined at VRRP level. Then VND driver blocks all outgoing communication on the circuit in backup mode (with the exception of LACP frames if the circuit is part of a group-interface).
If the circuit is configured with an IP address at circuit level, the VND driver cannot block the traffic and such configuration leads to undesirable behavior:
circuit inside
device-name inside
vap-group fw
ip 192.168.10.2/24 192.168.10.255
backup-stay-up
vap-group fw
virtual-ip 192.168.10.1/24 192.168.10.255
In this invalid configuration, there is an IP address defined at circuit level together with a virtual-ip at VRRP level. Since backup-stay-up is configured too, the virtual-ip address will be always UP and the chassis will be actively responding to ARP requests, causing an unexpected Active-Active scenario.
device-name inside
vap-group fw
ip 192.168.10.2/24 192.168.10.255
vrrp failover-group fw failover-group-id 1
virtual-router vrrp-id 20 circuit inside
priority-delta 2
mac-usage vrrp-mac backup-stay-up
vap-group fw
virtual-ip 192.168.10.1/24 192.168.10.255
In this invalid configuration, there is an IP address defined at circuit level together with a virtual-ip at VRRP level. Since backup-stay-up is configured too, the virtual-ip address will be always UP and the chassis will be actively responding to ARP requests, causing an unexpected Active-Active scenario.
Resolution
The backup-stay-up command should only be used in conjunction with VRRP addresses. This type of configuration is typical for Check Point VSX deployments.
circuit inside
device-name inside
vap-group vsx
virtual-router vrrp-id 20 circuit inside
priority-delta 2
mac-usage vrrp-mac
backup-stay-up
vap-group vsx
ip 192.168.10.1/24 192.168.10.255
When using IP addresses configured at both circuit and VRRP level, the backup-stay-up has to be removed:
circuit inside
device-name inside
vap-group fw
ip 192.168.10.2/24 192.168.10.255
vap-group fw
virtual-ip 192.168.10.1/24 192.168.10.255
circuit inside
device-name inside
vap-group vsx
virtual-router vrrp-id 20 circuit inside
priority-delta 2
mac-usage vrrp-mac
backup-stay-up
vap-group vsx
ip 192.168.10.1/24 192.168.10.255
When using IP addresses configured at both circuit and VRRP level, the backup-stay-up has to be removed:
circuit inside
device-name inside
vap-group fw
ip 192.168.10.2/24 192.168.10.255
vrrp failover-group fw failover-group-id 1
virtual-router vrrp-id 20 circuit inside
priority-delta 2
mac-usage vrrp-mac vap-group fw
virtual-ip 192.168.10.1/24 192.168.10.255
Workaround
N/AFeedback
Yes
No
Powered by
