Routes learned from HUB LAN are set to unreachable on certain spokes after upgrade to 4.5.2
Article ID: 368800
Updated On:
Products
Issue/Introduction
In a customer enterprise utilizing a Hub/ Spoke network topology along with one or more sites employing a High Availability (HA) Edge topology, Spoke Edge routes may be erroneously shared with the another HUB Edge, even if branch-to-branch VPN is not enabled. If this occurs, these false routes (reachability: False) on the Active HA Edge could be used for data traffic instead of the valid routes (reachability: True), adversely affecting network connectivity and customer traffic.
Environment
- Hub and Spoke topology
- Branch to Branch VPN is disabled on both edges
- Impacted edge should be acting as a HUB in different profile
- Software version 4.5.2
- Issue trigger after HA failover on the HUB Edge
Cause
This issue is due to the software issue - 124844
The HUB edge is expected to receive the complete enterprise routes even if the branch to branch VPN disabled in its RIB table and it is expected to install only the reachable TRUE routes in its FIB table. The issue is that after HA failover at the HUB site, the FALSE routes from RIB table gets installed into FIB of the new Active HA Edge, which impacts customer traffic since the flows matching the FALSE routes will be blackholed.
Resolution
To resolve this issue we have to upgrade the HA edges to the fix version R452-20241025-GA or above.
Workaround:
- Reboot both HA edges
OR - Enable route backtracking feature which will skip the FALSE route and match the next best TRUE route.
Additional Information
Release note : False route not removed after HA failover
Reference Link : Route Backtracking Configuration and Route Backtracking KB
Feedback
