Hi all,

needs some help here:

I have two RB1000s, one will act as the primary for all subnets, the other as the backup. This will be handled using VRRP.
The configuration is as follows:

Primary RB1000:
VRRPs:
0 RM name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled
interface=ether1 vrid=1 priority=255 interval=1 preemption-mode=yes
authentication=ah password="test1" on-backup="" on-master=""

1 RM name="vrrp3" mtu=1500 mac-address=00:00:5E:00:01:03 arp=enabled
interface=ether3 vrid=3 priority=255 interval=1 preemption-mode=yes
authentication=ah password="test3" on-backup="" on-master=""

IP addresses:
0 10.1.0.2/24 10.1.0.0 10.1.0.255 ether1
2 10.20.0.2/22 10.20.0.0 10.20.3.255 ether3
3 10.1.0.1/32 10.1.0.1 10.1.0.1 vrrp1
4 10.20.0.1/32 10.20.0.1 10.20.0.1 vrrp3

Secondary RB1000:
VRRPs:
0 B name="vrrp1" mtu=1500 mac-address=00:00:5E:00:01:01 arp=enabled
interface=ether1 vrid=1 priority=100 interval=1 preemption-mode=yes
authentication=ah password="test1" on-backup="" on-master=""

1 RM name="vrrp3" mtu=1500 mac-address=00:00:5E:00:01:03 arp=enabled
interface=ether3 vrid=3 priority=1 interval=1 preemption-mode=yes
authentication=ah password="test3" on-backup="" on-master=""

IP addresses:
0 10.1.0.3/24 10.1.0.0 10.1.0.255 ether1
2 10.20.0.3/22 10.20.0.0 10.20.3.255 ether3
3 10.1.0.1/32 10.1.0.1 10.1.0.1 vrrp1
4 10.20.0.1/32 10.20.0.1 10.20.0.1 vrrp3

As you can see the primary is the higher value at 255, secondary being 100.

When the interface switches to backup and the primary comes back the VRRP interface does not stand down on the secondary.

Any ideas? VRRP is allowed on input in the firewall on both devices. I have no idea what to try next and I have followed the Wiki to the letter.
Please help!

Thanks in advance.

sterb

Hello,

I'm having exactly the same problem here: the secondary comes up as Master and Running. Just upgraded to 4.4. This same setp up was working flawlessly in 3.30!!

I've followed the wiki and every other document out there without success...

Should we send a report to support?
Thank you

I already submitted this to support and so far only got the standard responses back, i.e. explaining the config some more. It was not confirmed if this is a bug or not.
I also had debug turned on to see if the multicast packets are not received for some reason but there were no obvious error messages...

Maybe you can submit as well, the supout.rif might have something common with mine and they may be able to pnpoint the issue?

Thanks, sterb.

Hello!

If you have firewall and/or NAT rules ensure that you exclude VRRP and IGMP traffic from them... In my case the problem was a rogue source NAT rule which was driving vrrp packets nowhere.

Right now the problem seems solved, but I'm doing some final tests. Also, my problem was undetected for almost a month because that exact NAT rule wasn't applied even if it showed as enabled in Winbox and telnet.

Regards

Leonset,

finally had some time to spend on this and you pointed me in the right direction!
Once I reformulated my NAT rule it all worked so thanks again!
last hurdle I have left now is once I turn the hotspot on the ether interface vrrp is running on the vrrp packets are blocked so the secondary goes master.
I've had a look and everything I tried to pinhole the vrrp protocol through the hotspot firewall have failed...

sterb

I'm sorry, but I can't help you with that... I haven't used hotspot yet!

Good luck!

Got this working with help from support and wanted to post the solution in case anyone comes across this thread.
The hotspot needs to be attached to the VRRP interface, not the ether, then it works fine. The hotspot will show as invalid but as soon as VRRP becomes master then it will work correctly.

sterb.

Nice!

I'll keep it in mind if I ever use hotspot!

Now that support told you about the solution it seems logical, because hotspot blocks every packet util that user has authenticated, and that may include VRRP.

Bye