Use of backup-stay-up parameter in VRRP configuration

Article Id: 167862
Status: Published
Updated On: 13-05-2017 10:54
Legacy Id: TECH243903
Products:
XOS
Issue/Introduction:

Use backup-stay-up only when there are no IP addresses defined at circuit level.

  • Various network connectivity issues, increased packet loss or performance degradation
  • Neighbor devices receive ARP responses for VRRP address from backup chassis 
  • VRRP configuration includes the option backup-stay-up
  • IP addresses are configured both at circuit and VRRP level 



Cause:

With backup-stay-up, the VRRP addresses are active on both master and backup chassis. This option is typically used with Check Point VSX application. The purpose of this option is to keep entries related to the associated circuit in the routing table regardless of VRRP status. This allows for a fast re-convergence time upon VRRP failover.

This option is supposed to be used only when all IP addresses for the associated circuit are defined at VRRP level. Then VND driver blocks all outgoing communication on the circuit in backup mode (with the exception of LACP frames if the circuit is part of a group-interface).

If the circuit is configured with an IP address at circuit level, the VND driver cannot block the traffic and such configuration leads to undesirable behavior:
 
circuit inside
  device-name inside
  vap-group fw
    ip 192.168.10.2/24 192.168.10.255

vrrp failover-group fw failover-group-id 1
 
  virtual-router vrrp-id 20 circuit inside
    priority-delta 2 
    mac-usage vrrp-mac 
    backup-stay-up
    vap-group fw
      virtual-ip 192.168.10.1/24 192.168.10.255

In this invalid configuration, there is an IP address defined at circuit level together with a virtual-ip at VRRP level. Since backup-stay-up is configured too, the virtual-ip address will be always UP and the chassis will be actively responding to ARP requests, causing an unexpected Active-Active scenario.




 

Resolution:

The backup-stay-up command should only be used in conjunction with VRRP addresses. This type of configuration is typical for Check Point VSX deployments.

circuit inside
  device-name inside
  vap-group vsx

virtual-router vrrp-id 20 circuit inside
  priority-delta 2 
  mac-usage vrrp-mac 
  backup-stay-up
  vap-group vsx
    ip 192.168.10.1/24 192.168.10.255


When using IP addresses configured at both circuit and VRRP level, the backup-stay-up has to be removed:

circuit inside
  device-name inside
  vap-group fw
    ip 192.168.10.2/24 192.168.10.255

vrrp failover-group fw failover-group-id 1
 
  virtual-router vrrp-id 20 circuit inside
    priority-delta 2 
    mac-usage vrrp-mac 
    vap-group fw
      virtual-ip 192.168.10.1/24 192.168.10.255


Workaround

N/A