4. [SOLVED] STP blocks CARP?

[SOLVED] STP blocks CARP?


  • Sorry for posting a rather opaque situation, but I am having trouble identifying where I should start looking for problems.

    The situation is as follows:

    Two XG-7100 connected via an HP 2530 switch.
    Four external lines, one of which is an MPLS. Two LANs.
    Each line uses 3 ports on the switch (separated using VLANS, the numbers are not duplicated elsewhere), two for the firewalls and the last one for a switch or a router. The XG-7100s are connected directly to one another with a regular non-crossed cable.

    I set up the two firewalls with CARP in a test evironment, and did not have any trouble. The two XG-7100 were synchronizing and traffic was going where it was supposed to.

    The whole setup was put into the real cabinet, and the problems started.
    As long as only one of the two XG-7100 is online everything works well.
    When the second XG-7100 is switched on Weird Stuff™ starts to happen.

    Every port dedicated to the second firewall gets disabled by STP every 5 seconds or so. (disabled, re-enabled, disabled and so on forever) Even the second LAN interface, which is not connected to anything external at the moment: there are just the two firewalls on that VLAN block, and it still gets STP blocked.

    If I disable STP on the switch (we're using MSTP, said switch is root) the MPLS (Not sure if that's because it's the first gateway i the pile, it's a private address or what else) suffers progressively worse packet loss (not sure if it's enough to bring it down, at 20% I immediately switched back on STP in the switch) and the switch complains about excessive broadcasts on the port that conects to the rest of the LAN.

    As far as I can tell it's not a typo somewhere in the configuration.

    Again, sorry for the lack of focus but I'm at a loss where to start looking for troubles in the first place, and none of my collegues has any idea either.
    Eh, it's probably something obvious I missed and I'll kick myself once I find it, but at this point I'm just running in circles. I'd really appreciate if someone could point me in a general direction :)

    cheers

    0
  • LAYER 8 Netgate

    If STP is triggering/blocking ports it sounds like you have created a layer 2 loop.

    You might want to diagram how everything is connected and see what you did wrong.

    HA, properly configured, does not create loops because there is no bridging involved.

    It would be possible to create loops using the built-in switch on the XG-7100 just like any other switch.

    0

  • For posterity, the problem was initially solved by changing the switch between the two CARP members.

    Apparently the Aruba-flavoured HP switches call home ( to activate.arubanetworks.com ), and while I'm not sure why this wrecks things for a multi-WAN CARP setup, once the feature was disabled on the switch it ceased causing STP problems.

    We only found out because we had to replace the (replaced) CARP switch in a hurry (next planned setup will have redundant switches too).
    The guy who arrived first grabbed the first unattended switch he could find (it was the HP), without knowing the problem it initially caused, and was just happy to have it already configured with the correct VLAN groups. Asking around, it turned out the only change in configuration was the mentioned call home feature being disabled.

    Hope this helps someone. It had me banging my head against the rack for way too long.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy