Table of Contents
Advertisement
4
If you are testing monitored-circuit VRRP by pulling an interface, and the other interfaces
do not release their IP addresses, check that the priority delta is large enough that the
effective priority is lower than the master router.
If you use different encryption accelerator cards in two appliances that are part of a VRRP
group or an IP cluster, such as the Nokia Encrypt Card in one appliance and the older Nokia
Encryption Accelerator Card in another appliance, you must select encryption algorithms for
each card that are supported on both cards. If you select different encryption algorithms on
the backup appliance than on the master, failover might not occur correctly.
VRIDs must be the same on all routers in a VRRP group. If you are using monitored-circuit
VRRP, verify that all platforms in the group that back up a single virtual IP address use the
same VRID. If you are using VRRP v2, verify that the VRID used on each backup router
uses the same VRID and IP address as the primary router.
If the VRRP monitor in Network Voyager shows one of the interfaces in initialize state, it
might indicate that the IP address used as the backup address on that interface is invalid or
reserved.
SNMP Get on Interfaces might list the wrong IP addresses, resulting in incorrect Policy. An
SNMP Get (for the Firewall object Interfaces in the GUI Security Policy editor) fetches the
lowest IP address for each interface. If the interfaces are created when the node is the VRRP
master, the wrong IP address might be included in the object. To solve this problem, edit the
interfaces by hand if necessary.
Firewall Policies
If your platforms are running firewall software, you must enable the firewall policies to accept
VRRP packets. The multicast destination assigned by the IANA for VRRP is 224.0.0.18. If the
firewall policy does not
VRRP group assumes the VRRP master state.
Access Control Lists
If your platforms use access control lists, you must, at minimum, include the following in the
access list criteria:
The source IP addresses of all participants in the VRRP group.
The VRRP multicast destination IP address, which is 224.0.0.18.
The VRRP IP protocol value, which is 112.
If these most restrictive conditions are in place, then each VRRP participant on each access
control interface must have a separate rule. Alternatively, you can define a more open rule. For
example, a single rule allowing all packets with DST IP 224.0.0.18 and IP protocol value 112
would work for all interfaces controlled by an access control list.
204
explicitly
accept packets
Nokia Network Voyager for IPSO 4.0 Reference Guide
to 224.0.0.18
, each firewall platform in the
Advertisement
Table of Contents
Troubleshooting
