ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
How to configure VRRP for Virtual Systems without a regular interface
Article ID: 168052
Updated On:
Products
XOS
Issue/Introduction
This article provides a method to instruct XOS to create VRRP context for Warp links even if the Virtual System doesn't connect directly to the external network via a regular interface.For some Virtual Systems, IP addresses on Warp links are created in the circuit context instead of VRRP context. These Virtual Systems have no regular interface in a Check Point Topology; only Warp links to other Virtual Devices.
Cause
In a VSX DBHA environment, when configuring a Virtual System connected only to other Virtual Devices, XOS doesn't configure VRRP for the Warp links. The attached network diagram shows an example topology.
The Virtual System VS2 in the example has interfaces leading only to Virtual Switches (Warp links). There are no regular interfaces configured in the Topology tab of this Virtual System.
When you push configuration of such a Virtual System to the gateways, XOS doesn't find any existing (regular) circuits with VRRP attached to this Virtual System. Therefore, it puts IP addresses of the Warp links under the circuit context. This is an undesired result for a VRRP/DBHA setup.
Resolution
In order to create VRRP for the Warp links, a regular interface must exist. To maintain the topology, you can create a "dummy" circuit that will act as a regular interface:
- Define an internal "loopback" circuit together with a VRRP virtual router at the XOS level.
- Add this circuit as a regular interface in the Virtual System topology (with a unique IP address/netmask).
Here is an example XOS 8.x configuration of a loopback circuit with a VRRP template:
#
circuit Loc1
internal
device-name Loc1
vap-group vsx
#
vrrp failover-group vsx_fg failover-group-id 1
...
virtual-router vrrp-id 11 circuit Loc1
priority-delta 10
mac-usage vrrp-mac
vap-group vsx
#
At this point, when XOS configures circuits for the Warp links and checks whether VRRP is configured on any circuit attached to this Virtual System, it finds the loopback circuit and configures VRRP for the Warp circuits too.
Since XOS 9.5, the link-state-resistant command replaces the internal command to
keep a circuit in an Up state regardless of the state of the physical interface to which it is assigned.
Workaround
N/AAttachments
Feedback
Yes
No
Powered by
