Wired Intelligent Edge

 View Only
last person joined: 4 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

Issue with a VSX Cluster

This thread has been viewed 32 times
  • 1.  Issue with a VSX Cluster

    Posted Apr 08, 2024 09:06 PM

    I have a VSX Cluster that has been running with no issues. Recently I noticed one VLAN is not working the way it should be. The upper switch in the cluster works fine. It has a VLAN on it and I can ping all devices to and from the top switch. I am having an issue with the lower switch in the cluster. The VLAN that I can ping to and from on the upper switch, I can only ping the active gateway on the upper switch and nothing else.

    Does this sound like something anyone else has seen before?



  • 2.  RE: Issue with a VSX Cluster

    Posted Apr 09, 2024 02:09 AM

    Hi

    kindly, please share some more details about your deployment:

    • switch models in use
    • software version running
    • logical network diagram
    • running config of VSX, the VLAN / VLAN interface in question and the ISL interface
    • more information from where you are pinging 

    Regards, 
    Thomas




  • 3.  RE: Issue with a VSX Cluster

    Posted Apr 09, 2024 03:22 AM

    Hi, in a VSX cluster it is common in my environment that I can ping end devices from a particular member of the VSX pair. I've instructed operational staff to "try from both members". There are some logic rules around packets destined for an active-gateway on a member flowing through a different one.

    So if a ping initiated from member A goes to end device, the reply (because of LACP load balancing) heads towards member B, it is dropped because the rule doesn't permit forwarding from B to A. I guess this prevents a loop?

    This scenario only affects VSX member initiated traffic. If you have issues with end devices using their default gateway (which is an active-gateway) ensure the command active-gateway l3-src-mac is adding to each SVI. I do this for every SVI. It changes the source MAC of the active gateway to the shared one. It prevents a black hole situation in some devices that don't handle ARP well (e.g. they have a change of where the active member they connect to but retain the original VSX member's hardware MAC in ARP table).




  • 4.  RE: Issue with a VSX Cluster

    Posted Apr 10, 2024 01:56 PM

    I went into my SVI active-gateway, but the only options I see are l3-counters




  • 5.  RE: Issue with a VSX Cluster

    Posted Apr 11, 2024 03:10 AM
    Hi, the mention of the additional command is only relevant to end devices using their default gateway and doesn't affect the behavior described in your original post. I mentioned in case it was a related issue you are seeing.

    The command became available in a 10.10 version I think so if you are running an earlier version you won't see it.

    My main point is that pinging from the CX switch running VSX active gateways will produce the result you see and it's by design. Pinging through the switch in both directions should work 100%.

    Ian








  • 6.  RE: Issue with a VSX Cluster

    EMPLOYEE
    Posted Apr 11, 2024 06:45 AM

    Pinging from the SVI unique/distinct IP instead of the AG IP (common to both VSX nodes) should work: if icmp-echo-reply return packet happens to be received by the VSX node which didn't source the  icmp-echo, then that VSX node should bridge and forward the packet to the VSX peer thanks to the DST_MAC that should be unique to this node.

    If SVI IP is same than AG IP (recommended for EVPN distributed-GW), then the recommendation is to ping from a unique loopback IP set-up on each VSX node.




  • 7.  RE: Issue with a VSX Cluster

    Posted Apr 21, 2024 01:27 AM

    That all makes sense to me. This is what I am seeing more specific....

    I have two VSX Clusters. I have a VM Host connected to both for redundancy. I can ping all the VMs on this host which are in the same subnet except for one of them. We have reached out to the Vendors and they insist it is something on our side with the network, but I can't think of what it could be since all the other VMs on that host system are in the same subnet and reachable...




  • 8.  RE: Issue with a VSX Cluster

    Posted 30 days ago
    Hi, there is the added complication of the Vswitch etc but the two things I would check are if " active-gateway l3-src-mac " is configured on the SVI and if other things on the same subnet can ping the VM. I spent a day troubleshooting a similar issue to find the host based firewalling prevented it from being pinged by the gateway but pingable by other things (reverted policy). Check arp on host matches the entry on the "show ip interface vlan123" in case it is hogging an old one.

    Ian.