How to configure VRRP for Virtual Systems without a regular interface

Article Id: 168052
Status: Published
Updated On: 03-10-2017 21:59
Legacy Id: TECH244433
Products:
XOS
Issue/Introduction:

This article provides a method to instruct XOS to create VRRP context for Warp links even if the Virtual System doesn't connect directly to the external network via a regular interface.For some Virtual Systems, IP addresses on Warp links are created in the circuit context instead of VRRP context. These Virtual Systems have no regular interface in a Check Point Topology; only Warp links to other Virtual Devices.

Cause:

In a VSX DBHA environment, when configuring a Virtual System connected only to other Virtual Devices, XOS doesn't configure VRRP for the Warp links. The attached network diagram shows an example topology. 

 
User-added image
 
The Virtual System VS2 in the example has interfaces leading only to Virtual Switches (Warp links). There are no regular interfaces configured in the Topology tab of this Virtual System. 
 
When you push configuration of such a Virtual System to the gateways, XOS doesn't find any existing (regular) circuits with VRRP attached to this Virtual System. Therefore, it puts IP addresses of the Warp links under the circuit context. This is an undesired result for a VRRP/DBHA setup.
 

Resolution:

In order to create VRRP for the Warp links, a regular interface must exist. To maintain the topology, you can create a "dummy" circuit that will act as a regular interface: 
  1. Define an internal "loopback" circuit together with a VRRP virtual router at the XOS level. 
  2. Add this circuit as a regular interface in the Virtual System topology (with a unique IP address/netmask). 
Here is an example XOS 8.x configuration of a loopback circuit with a VRRP template:
 
#
circuit Loc1
  internal
  device-name Loc1
  vap-group vsx
#
vrrp failover-group vsx_fg failover-group-id 1 
...
virtual-router vrrp-id 11 circuit Loc1
  priority-delta 10
  mac-usage vrrp-mac
  vap-group vsx
#
 
At this point, when XOS configures circuits for the Warp links and checks whether VRRP is configured on any circuit attached to this Virtual System, it finds the loopback circuit and configures VRRP for the Warp circuits too.

Since XOS 9.5, the link-state-resistant command replaces the internal command to
keep a circuit in an Up state regardless of the state of the physical interface to which it is assigned.

Workaround

N/A