Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] STP blocks CARP?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    3 Posts 2 Posters 802 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • FrankyeF
      Frankye
      last edited by Frankye

      Sorry for posting a rather opaque situation, but I am having trouble identifying where I should start looking for problems.

      The situation is as follows:

      Two XG-7100 connected via an HP 2530 switch.
      Four external lines, one of which is an MPLS. Two LANs.
      Each line uses 3 ports on the switch (separated using VLANS, the numbers are not duplicated elsewhere), two for the firewalls and the last one for a switch or a router. The XG-7100s are connected directly to one another with a regular non-crossed cable.

      I set up the two firewalls with CARP in a test evironment, and did not have any trouble. The two XG-7100 were synchronizing and traffic was going where it was supposed to.

      The whole setup was put into the real cabinet, and the problems started.
      As long as only one of the two XG-7100 is online everything works well.
      When the second XG-7100 is switched on Weird Stuff™ starts to happen.

      Every port dedicated to the second firewall gets disabled by STP every 5 seconds or so. (disabled, re-enabled, disabled and so on forever) Even the second LAN interface, which is not connected to anything external at the moment: there are just the two firewalls on that VLAN block, and it still gets STP blocked.

      If I disable STP on the switch (we're using MSTP, said switch is root) the MPLS (Not sure if that's because it's the first gateway i the pile, it's a private address or what else) suffers progressively worse packet loss (not sure if it's enough to bring it down, at 20% I immediately switched back on STP in the switch) and the switch complains about excessive broadcasts on the port that conects to the rest of the LAN.

      As far as I can tell it's not a typo somewhere in the configuration.

      Again, sorry for the lack of focus but I'm at a loss where to start looking for troubles in the first place, and none of my collegues has any idea either.
      Eh, it's probably something obvious I missed and I'll kick myself once I find it, but at this point I'm just running in circles. I'd really appreciate if someone could point me in a general direction :)

      cheers

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If STP is triggering/blocking ports it sounds like you have created a layer 2 loop.

        You might want to diagram how everything is connected and see what you did wrong.

        HA, properly configured, does not create loops because there is no bridging involved.

        It would be possible to create loops using the built-in switch on the XG-7100 just like any other switch.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • FrankyeF
          Frankye
          last edited by Frankye

          For posterity, the problem was initially solved by changing the switch between the two CARP members.

          Apparently the Aruba-flavoured HP switches call home ( to activate.arubanetworks.com ), and while I'm not sure why this wrecks things for a multi-WAN CARP setup, once the feature was disabled on the switch it ceased causing STP problems.

          We only found out because we had to replace the (replaced) CARP switch in a hurry (next planned setup will have redundant switches too).
          The guy who arrived first grabbed the first unattended switch he could find (it was the HP), without knowing the problem it initially caused, and was just happy to have it already configured with the correct VLAN groups. Asking around, it turned out the only change in configuration was the mentioned call home feature being disabled.

          Hope this helps someone. It had me banging my head against the rack for way too long.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.