Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Aruba 8320 Ver 10.03 VSX Topology not forward packets

This thread has been viewed 5 times

  • 1.  Aruba 8320 Ver 10.03 VSX Topology not forward packets

    Posted May 09, 2020 03:11 PM
      |   view attached

    Hi, 

     

    I have two ARUBA 8320 connected with VSX technology as L2 and Checkpoint FW as L3 above them.

    When I try pinging to a server connected to 8320 from the 8320 SW I have reachability but from the FW I do not have.

     

    In my last case, the engineer sends me two commands useful from the shell:

    ovs-appctl -t hpe-vsxd vsx_filter_dump

    ovs-appctl -t ops-switchd  vsx/show_isl

     

    but when I typing dose commands I get access denied

    also "sh -" in shell mode with my admin password dosn׳t work

     

    There is a Topology diagram attached to the post.

     

    #VSX-Configurations Core-SW1#
    vsx

    system-mac 00:00:00:01:83:20
    inter-switch-link lag 1
    inter-switch-link hello-interval 3
    inter-switch-link dead-interval 10
    inter-switch-link hold-time 2

    role primary

    keepalive peer 1.1.1.2 source 1.1.1.1 vrf VSX-KEEPALIVE

    keepalive dead-interval 10
    keepalive hello-interval 3


    interface lag 1
    description ISL-SW-CORE-2
    no shutdown
    no routing
    vlan trunk native 1 tag
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/54

    no shutdown

    lag 1

    interface 1/1/53

    no shutdown

    lag 1


    interface lag 10 multi-chassis
    description Core-FW-1
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/1

    no shutdown

    lag 10


    interface lag 20 multi-chassis
    description Core-FW-2
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/2

    no shutdown

    lag 20


    interface lag 101 multi-chassis
    description SW-TOR-1-2
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/47

    no shutdown

    lag 101

    interface 1/1/48

    no shutdown

    lag 101

     

     

    #VSX-Configurations Core-SW2#

    vsx

    system-mac 00:00:00:01:83:20
    inter-switch-link lag 1
    inter-switch-link hello-interval 3
    inter-switch-link dead-interval 10
    inter-switch-link hold-time 2

    role secondary

    keepalive peer 1.1.1.1 source 1.1.1.2 vrf VSX-KEEPALIVE

    keepalive dead-interval 10
    keepalive hello-interval 3


    interface lag 1
    description ISL-SW-CORE-1
    no shutdown
    no routing
    vlan trunk native 1 tag
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/54

    no shutdown

    lag 1

    interface 1/1/53

    no shutdown

    lag 1


    interface lag 10 multi-chassis
    description Core-FW-1
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/1

    no shutdown

    lag 10


    interface lag 20 multi-chassis
    description Core-FW-2
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/2

    no shutdown

    lag 20


    interface lag 101 multi-chassis
    description SW-TOR-1-2
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/47

    no shutdown

    lag 101

    interface 1/1/48

    no shutdown

    lag 101

     

    #VSX-Configurations Core-TOR1#

    vsx

    inter-switch-link lag 1
    inter-switch-link hello-interval 3
    inter-switch-link dead-interval 10
    inter-switch-link hold-time 2

    role primary

    keepalive peer 1.1.1.2 source 1.1.1.1 vrf VSX-KEEPALIVE

    keepalive dead-interval 10
    keepalive hello-interval 3


    interface lag 1
    description ISL-SW-TOR-2
    no shutdown
    no routing
    vlan trunk native 1 tag
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/54

    no shutdown

    lag 1

    interface 1/1/53

    no shutdown

    lag 1


    interface lag 101 multi-chassis
    description SW-Core
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/1

    no shutdown

    lag 101

    interface 1/1/2

    no shutdown

    lag 101

     

    interface lag 11 multi-chassis
    description A220\C1
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/3

    no shutdown

    lag 11

     

    #VSX-Configurations Core-TOR2#

    vsx

    inter-switch-link lag 1
    inter-switch-link hello-interval 3
    inter-switch-link dead-interval 10
    inter-switch-link hold-time 2

    role secondary

    keepalive peer 1.1.1.1 source 1.1.1.2 vrf VSX-KEEPALIVE

    keepalive dead-interval 10
    keepalive hello-interval 3


    interface lag 1
    description ISL-SW-TOR-2
    no shutdown
    no routing
    vlan trunk native 1 tag
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/54

    no shutdown

    lag 1

    interface 1/1/53

    no shutdown

    lag 1


    interface lag 101 multi-chassis
    description SW-Core
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/1

    no shutdown

    lag 101

    interface 1/1/2

    no shutdown

    lag 101

     

    interface lag 11 multi-chassis
    description A220\C1
    no shutdown
    no routing
    vlan trunk native 1
    vlan trunk allowed all
    lacp mode active
    lacp rate fast

     

    interface 1/1/3

    no shutdown

    lag 11

     

     

    I have another area in the network that was with the same issue and connected with the same design and products (Aruba 8320&Checkpoint FWs) when "the engineer" came to our office and troubleshoot exactly the same behavior as this issue.

    When he got into shell mode and execute a few VSX shell commands and reboot the switch the VSX starting to work and we can ping from the FW (GW) to the servers. after that, he shows us the "show commands" from shell to see the VSX function and working.

    the configuration in the regular CLI copied from the working area to the second area that not working properly.

    I looking, someone that can guide me who to see in shell mode the VSX status and if the VSX status not good who to fix it from shell mode because I tried anything and nothing works

    Does anyone have such a problem or can help?

    Thanks!!

     
     
     

    Attachment(s)

    pptx
    VSX-Topology.pptx   39 KB 1 version


  • 2.  RE: Aruba 8320 Ver 10.03 VSX Topology not forward packets

    EMPLOYEE
    Posted May 11, 2020 05:45 AM

    Your configuration seems correct.  This is strange that you have to go through this forum to resolve your issue. The TAC should fix this for you as it seems a bug. What release do you run ? If you run 10.3, I recommend to run 10.03.0090.

    Regular show command should provide already some sanity check

    show vsx status

    show lacp inter multi

    show vsx mac-address-table

     

    Is your checkpoint FW active/active or active/passive ?

     



  • 3.  RE: Aruba 8320 Ver 10.03 VSX Topology not forward packets

    MVP GURU
    Posted May 11, 2020 10:54 AM

    Hi! as I initially suggested here (the original thread came from there), and as @vincent.giles suggested here too, the outputs of relevant show vsx commands (please explore the various options it has) would be of help. Providing various other information about Layer 2 connectivity to upstream Layer 3 Firewall Cluster would be of help too.

     

    Apparently the portions of Core VSX and ToR VSX running configurations look both good (but those are just portions, we haven't the whole - sanitized - picture "host-ToR-Core-FW").

     

    As example: what is the System MAC of the ToR VSX (on the Core VSX the vitualized 00:00:00:01:83:20 was used)?

     

    Have you cross-checked the (VSX related) best practices/suggestions listed here?

     

    As vincent.giles wrote, it would be interesting to understand the IP routing configuration on the upstream devices (to CheckPoint Firewall Cluster made of CP1-FW and CP2-FW appliances) and also how (and how many) VLAN(s) are involved/transported to that Firewall Cluster since you initially wrote that: "I have two ARUBA 8320 connected with VSX technology as L2 and Checkpoint FW as L3 above them. When I try pinging to a server connected to 8320 from the 8320 SW I have reachability but from the FW I do not have." and what we know is just that the IP routing duty is on charge of the Firewall Cluster being both VSX clusters (Core and ToR) acting just as Layer 2 switches.

     

    ServiceOS shell mode shouldn't be really necessary...but, as written there could be a bug in the running software versions your four VSX clusters are running (version we ignore)...consider that the two (three, one is incomplete) ServiceOS commands the technician gave you:

     

    ovs-appctl -t hpe-vsxd vsx_filter_dump

    ovs-appctl -t ops-switchd <- it is incomplete I fear (or ovs-appctl -t vsx/show_isl)

     

    are for querying (or setting) hpe-vsxd and ops-switchd target deamons...but are not intended to be used by normal network Administrator, ArubaOS-CX commands should be used instead.