Technical Tip: VRRP failover for dynamic route using Link Monitor (update-cascade-interface enable)

aadenola · ‎07-18-2022

Description

This article describes how to use update cascade interface for VRRP failover.

VRRP using the VDST with update-static-route does not failover when using dynamic route and it is expected as the command 'update-static-route' only works for static route.

When the link monitor fails, it removes that static route from the routing-table which in turn removes the matching entry from the kernel table.

With route learnt through BGP, the link monitor with 'update-static-route' enabled is not able to remove the route from the routing table when the link monitor fails so the VRRP will not failover based on VDST with 'update-static-route'.

Scope

FortiGate, VRRP (Virtual Router Redundancy Protocol)

Solution

VRRP using the 'update-cascade-interface' on link monitor instead of the 'update-static-route'.

When monitoring a server using the link-monitor and instead of removing the route, bringing down an interface where VRRP is configured on when the link monitor status state goes from alive to die.

Bringing down the interface that VRRP is configured on causes a re-election of a Master VRRP.

Configuration.

VRRP # show system link-monitor

# config system link-monitor

edit "1"

set srcintf "port4"

set server "8.8.8.8"

set gateway-ip 192.168.44.1

set update-static-route disable

set update-cascade-interface enable

# config system interface

edit "port4"

set vdom "root"

set ip 192.168.44.111 255.255.255.0

set fail-detect enable

set fail-detect-option detectserver

set fail-alert-method link-down

set fail-alert-interfaces "port3"

set type physical

set snmp-index 4

VRRP # show system interface port3

# config system interface

edit "port3"

set vdom "root"

set ip 192.168.33.111 255.255.255.0

set type physical

set vrrp-virtual-mac enable

config vrrp

edit 1

set vrip 192.168.33.1

set priority 200

set vrdst 8.8.8.8

set vrdst-priority 3

set snmp-index 3

Link monitor status showing that the state is ALIVE.

VRRP # dia sys link-monitor status

Link Monitor: 1, Status: alive, Server num(1), Flags=0x1 init, Create time: Fri Jul 15 17:15:15 2022

Source interface: port4 (6)

Gateway: 192.168.44.1

Interval: 500 ms

Peer: 8.8.8.8(8.8.8.8)

Source IP(192.168.44.111)

Route: 192.168.44.111->8.8.8.8/32, gwy(192.168.44.1)

protocol: ping, state: alive

Latency(Min/Max/Avg): 17.180/34.532/20.473 ms

Jitter(Min/Max/Avg): 0.084/16.354/3.016

Packet lost: 41.000%

Number of out-of-sequence packets: 0

Fail Times(0/5)

Packet sent: 677, received: 59, Sequence(sent/rcvd/exp): 678/678/679

VRRP command showing that the device is elected as the Master.

VRRP # get router info vrrp

Interface: port3, primary IP address: 192.168.33.111

UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 1

HA mode: primary (0:0:1) VRRP master number: 1

VRID: 1 verion: 2

vrip: 192.168.33.1, priority: 200 (200,3), state: MASTER

adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3

master_adv_interval: 100, accept: 1

vrmac: 00:00:5e:00:01:01

vrdst: 8.8.8.8

vrgrp: 0

Functioning Debug when the router is VRRP Master.

VRRP # dia de application vrrpd -1

Debug messages will be on for 30 minutes.

VRRP # [vrrpd_loop:2288]: ret 0

[vrrp_vrt_adv_timer_func:1613]: port3, vrid 1, vrip 192.168.33.1, (11143->11143)

[vrrpd_loop:2288]: ret 0

[vrrp_vrt_adv_timer_func:1613]: port3, vrid 1, vrip 192.168.33.1, (11143->11143)

di[vrrpd_loop:2288]: ret 0

Sniffer showing that the device is sending out the vrrp packet on port3.

VRRP # dia sniffer packet any "host 224.0.0.18" 4 3

Using Original Sniffing Mode

interfaces=[any]

filters=[host 224.0.0.18]

1.754734 port3 out 192.168.33.111 -> 224.0.0.18: ip-proto-112 20

2.756188 port3 out 192.168.33.111 -> 224.0.0.18: ip-proto-112 20

3.757798 port3 out 192.168.33.111 -> 224.0.0.18: ip-proto-112 20

Command showing the Status of the vrrp configured interface.

VRRP # dia hardware deviceinfo nic port3 | grep State -A 1

State: up

Link: up

VRRP # get router info routing-table details 8.8.8.8

Routing table for VRF=0

Routing entry for 0.0.0.0/0

Known via "bgp", distance 200, metric 0, best

Last update 00:03:05 ago

* 192.168.44.1, via port4 distance 0

When the link state fails.

Debug flow when the interface is brought down.

[vrrp_vrt_adv_timer_func:1613]: port3, vrid 1, vrip 192.168.33.1, (11143->11143)

[vrrpd_loop:2288]: ret 0

[vrrp_vrt_adv_timer_func:1613]: port3, vrid 1, vrip 192.168.33.1, (11143->1102)

[vrrp_vif_promisc_set:1277]: ret 0, 98

[vrrp_vrt_leave_master:1516]: port3, vrid 1, vrip 192.168.33.1, (200 1 1 100)

[vrrp_vrt_goto_backup:1595]: port3, vrid 1, vrip 192.168.33.1, (200 1 1 100)

[vrrpd_loop:2288]: ret 0

[vrrp_vrt_down_timer_func:1558]: port3, vrid 1, vrip 192.168.33.1, (1102->1102)

[vrrpd_loop:2288]: ret 0

VRRP # dia sys link-monitor status

Link Monitor: 1, Status: die, Server num(1), Flags=0x9 init, Create time: Fri Jul 15 21:00:42 2022

Source interface: port4 (6)

Gateway: 192.168.44.1

Interval: 500 ms

Peer: 8.8.8.8(8.8.8.8)

Source IP(192.168.44.111)

Route: 192.168.44.111->8.8.8.8/32, gwy(192.168.44.1)

protocol: ping, state: die

Packet lost: 100.000%

Number of out-of-sequence packets: 0

Recovery times(0/5) Fail Times(4/5)

Packet sent: 1654, received: 654, Sequence(sent/rcvd/exp): 1655/755/756

VRRP # dia sys link-monitor status | grep state

protocol: ping, state: die

VRRP # diagnose hardware deviceinfo nic port3 | grep State -A 1

State: down

Link: down

VRRP # get router info vrrp

Interface: port3, primary IP address: 192.168.33.111

UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0

HA mode: primary (0:0:1) VRRP master number: 0

VRID: 1 verion: 2

vrip: 192.168.33.1, priority: 200 (200,3), state: BACKUP

adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3

master_adv_interval: 100, accept: 1

vrmac: 00:00:5e:00:01:01

vrdst: 8.8.8.8

vrgrp: 0

VRRP # get router info vrrp | grep state

vrip: 192.168.33.1, priority: 200 (200,3), state: BACKUP