Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
New Contributor

Aruba 8320 Ver 10.03 VSX Topology not forward packets

Hi, 

 

I have two ARUBA 8320 connected with VSX technology as L2 and Checkpoint FW as L3 above them.

When I try pinging to a server connected to 8320 from the 8320 SW I have reachability but from the FW I do not have.

 

In my last case, the engineer sends me two commands useful from the shell:

ovs-appctl -t hpe-vsxd vsx_filter_dump

ovs-appctl -t ops-switchd  vsx/show_isl

 

but when I typing dose commands I get access denied

also "sh -" in shell mode with my admin password dosn׳t work

 

There is a Topology diagram attached to the post.

 

#VSX-Configurations Core-SW1#
vsx

system-mac 00:00:00:01:83:20
inter-switch-link lag 1
inter-switch-link hello-interval 3
inter-switch-link dead-interval 10
inter-switch-link hold-time 2

role primary

keepalive peer 1.1.1.2 source 1.1.1.1 vrf VSX-KEEPALIVE

keepalive dead-interval 10
keepalive hello-interval 3


interface lag 1
description ISL-SW-CORE-2
no shutdown
no routing
vlan trunk native 1 tag
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/54

no shutdown

lag 1

interface 1/1/53

no shutdown

lag 1


interface lag 10 multi-chassis
description Core-FW-1
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/1

no shutdown

lag 10


interface lag 20 multi-chassis
description Core-FW-2
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/2

no shutdown

lag 20


interface lag 101 multi-chassis
description SW-TOR-1-2
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/47

no shutdown

lag 101

interface 1/1/48

no shutdown

lag 101

 

 

#VSX-Configurations Core-SW2#

vsx

system-mac 00:00:00:01:83:20
inter-switch-link lag 1
inter-switch-link hello-interval 3
inter-switch-link dead-interval 10
inter-switch-link hold-time 2

role secondary

keepalive peer 1.1.1.1 source 1.1.1.2 vrf VSX-KEEPALIVE

keepalive dead-interval 10
keepalive hello-interval 3


interface lag 1
description ISL-SW-CORE-1
no shutdown
no routing
vlan trunk native 1 tag
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/54

no shutdown

lag 1

interface 1/1/53

no shutdown

lag 1


interface lag 10 multi-chassis
description Core-FW-1
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/1

no shutdown

lag 10


interface lag 20 multi-chassis
description Core-FW-2
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/2

no shutdown

lag 20


interface lag 101 multi-chassis
description SW-TOR-1-2
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/47

no shutdown

lag 101

interface 1/1/48

no shutdown

lag 101

 

#VSX-Configurations Core-TOR1#

vsx

inter-switch-link lag 1
inter-switch-link hello-interval 3
inter-switch-link dead-interval 10
inter-switch-link hold-time 2

role primary

keepalive peer 1.1.1.2 source 1.1.1.1 vrf VSX-KEEPALIVE

keepalive dead-interval 10
keepalive hello-interval 3


interface lag 1
description ISL-SW-TOR-2
no shutdown
no routing
vlan trunk native 1 tag
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/54

no shutdown

lag 1

interface 1/1/53

no shutdown

lag 1


interface lag 101 multi-chassis
description SW-Core
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/1

no shutdown

lag 101

interface 1/1/2

no shutdown

lag 101

 

interface lag 11 multi-chassis
description A220\C1
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/3

no shutdown

lag 11

 

#VSX-Configurations Core-TOR2#

vsx

inter-switch-link lag 1
inter-switch-link hello-interval 3
inter-switch-link dead-interval 10
inter-switch-link hold-time 2

role secondary

keepalive peer 1.1.1.1 source 1.1.1.2 vrf VSX-KEEPALIVE

keepalive dead-interval 10
keepalive hello-interval 3


interface lag 1
description ISL-SW-TOR-2
no shutdown
no routing
vlan trunk native 1 tag
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/54

no shutdown

lag 1

interface 1/1/53

no shutdown

lag 1


interface lag 101 multi-chassis
description SW-Core
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/1

no shutdown

lag 101

interface 1/1/2

no shutdown

lag 101

 

interface lag 11 multi-chassis
description A220\C1
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast

 

interface 1/1/3

no shutdown

lag 11

 

 

I have another area in the network that was with the same issue and connected with the same design and products (Aruba 8320&Checkpoint FWs) when "the engineer" came to our office and troubleshoot exactly the same behavior as this issue.

When he got into shell mode and execute a few VSX shell commands and reboot the switch the VSX starting to work and we can ping from the FW (GW) to the servers. after that, he shows us the "show commands" from shell to see the VSX function and working.

the configuration in the regular CLI copied from the working area to the second area that not working properly.

I looking, someone that can guide me who to see in shell mode the VSX status and if the VSX status not good who to fix it from shell mode because I tried anything and nothing works

Does anyone have such a problem or can help?

Thanks!!

 
Highlighted
MVP Guru

Re: Aruba 8320 Ver 10.03 VSX Topology not forward packets

Your configuration seems correct.  This is strange that you have to go through this forum to resolve your issue. The TAC should fix this for you as it seems a bug. What release do you run ? If you run 10.3, I recommend to run 10.03.0090.

Regular show command should provide already some sanity check

show vsx status

show lacp inter multi

show vsx mac-address-table

 

Is your checkpoint FW active/active or active/passive ?

 

Highlighted
MVP Guru

Re: Aruba 8320 Ver 10.03 VSX Topology not forward packets

Hi! as I initially suggested here (the original thread came from there), and as @vincent.giles suggested here too, the outputs of relevant show vsx commands (please explore the various options it has) would be of help. Providing various other information about Layer 2 connectivity to upstream Layer 3 Firewall Cluster would be of help too.

 

Apparently the portions of Core VSX and ToR VSX running configurations look both good (but those are just portions, we haven't the whole - sanitized - picture "host-ToR-Core-FW").

 

As example: what is the System MAC of the ToR VSX (on the Core VSX the vitualized 00:00:00:01:83:20 was used)?

 

Have you cross-checked the (VSX related) best practices/suggestions listed here?

 

As vincent.giles wrote, it would be interesting to understand the IP routing configuration on the upstream devices (to CheckPoint Firewall Cluster made of CP1-FW and CP2-FW appliances) and also how (and how many) VLAN(s) are involved/transported to that Firewall Cluster since you initially wrote that: "I have two ARUBA 8320 connected with VSX technology as L2 and Checkpoint FW as L3 above them. When I try pinging to a server connected to 8320 from the 8320 SW I have reachability but from the FW I do not have." and what we know is just that the IP routing duty is on charge of the Firewall Cluster being both VSX clusters (Core and ToR) acting just as Layer 2 switches.

 

ServiceOS shell mode shouldn't be really necessary...but, as written there could be a bug in the running software versions your four VSX clusters are running (version we ignore)...consider that the two (three, one is incomplete) ServiceOS commands the technician gave you:

 

ovs-appctl -t hpe-vsxd vsx_filter_dump

ovs-appctl -t ops-switchd <- it is incomplete I fear (or ovs-appctl -t vsx/show_isl)

 

are for querying (or setting) hpe-vsxd and ops-switchd target deamons...but are not intended to be used by normal network Administrator, ArubaOS-CX commands should be used instead.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: