Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[AF] AF primary and backup Layer 3 deployment switch does not take effect

Posted
Updated
Byadmin
Views2

Problem Description

Local is deployed in a Layer 3 active-standby configuration. When the network cable is unplugged or the host is shut down for fault testing, it is found that the active-standby device is switched, but the active-standby Layer 3 are not switched, resulting in the cloud services not being switched to the standby lines.
【AF】E-government cloud egress Local active/standby switch_Troubleshooting of Layer 3 failure.docx (4.61 MB)

Root cause

1. Only the active and standby network port monitoring is enabled, so the unplugging operation only switches the device to the active and standby mode;
2. Both the upper and lower switches need to be configured with relevant Interfaces/link detection mechanisms, such as BFD, NQA, etc., to ensure that the entire SW-FW-SW performs strong active-standby switching, so as to achieve overall Layer 3 switching;
3. The associated Interfaces link is not configured, the master device has floating Layer 3, and the link detection mechanism cannot guarantee the overall switching of the SW-FW-SW link. That is, if the uplink port of the ISW-1 master device fails, link detection can only perform link switching and cannot trigger Layer 3 switching. It is necessary to configure interface linkage to enable the SW-FW-SW link to perform forced active/standby switching.

solution

1. Multiple IP addresses can be configured under the Interfaces. Since the Network Segment of the active and standby AFs are different (the gateways are also different), when the primary device is running, only the primary IP Address is effective (guaranteed by link detection);
2. The associated Interfaces link of the floating route only opens the Layer 3 with Priority High priority (low Metric), and does not detect the link with Priority (to ensure that the main route is always used when the main device is running);
3. After configuring the [Next-Hop IP] Medium the Local Interfaces configuration, the default Layer 3 of 0.0.0.0 is not generated. This address is used for Link State Detection;

Suggestions and Conclusion

For Layer 3 active/standby deployment and when Sensitive active/standby routes, it is necessary to clearly understand the floating Layer 3 switching conditions and how to ensure effective Layer 3.

①Floating Layer 3 switching conditions:
1. Enable link detection function on Interfaces interface, such as enabling PING, ARP and other detections;
2. Configure a static route to the destination address and enable the associated Interfaces link to ensure that the link can switch normally;
3. Configure the corresponding Metric on the static Layer 3 according to the demand, and the traffic will be forwarded according to the Layer 3 with Metric;
【Remark】

Link State Detection: If enabled, the static route will be set to invalid and the route entry will be deleted from the corresponding routing table when the link on the selected interface fails (determined by either Ping or DNS lookup).
It is recommended if this route is a floating static route.
Make sure link state detection is enabled for the selected interface.

②Only enable the Priority interface link for the static Layer 3 with high priority:
[Description] When the device performs active/standby switching due to a network port or device failure, Layer 3 on the primary device (low metric) must be Metric in order to achieve route switching. When the network port or failure is restored, the network port Monitor or link detection passes, and the route on the primary device will Preemption as the primary Layer 3, achieving the effect of the primary device being restored and the primary Layer 3 switched back.

Original Link

https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1461&isOpen=true