Original Message:
Sent: 4/21/2024 1:27:00 AM
From: sfpit1202
Subject: RE: Issue with a VSX Cluster
That all makes sense to me. This is what I am seeing more specific....
I have two VSX Clusters. I have a VM Host connected to both for redundancy. I can ping all the VMs on this host which are in the same subnet except for one of them. We have reached out to the Vendors and they insist it is something on our side with the network, but I can't think of what it could be since all the other VMs on that host system are in the same subnet and reachable...
Original Message:
Sent: Apr 11, 2024 06:44 AM
From: vincent.giles
Subject: Issue with a VSX Cluster
Pinging from the SVI unique/distinct IP instead of the AG IP (common to both VSX nodes) should work: if icmp-echo-reply return packet happens to be received by the VSX node which didn't source the icmp-echo, then that VSX node should bridge and forward the packet to the VSX peer thanks to the DST_MAC that should be unique to this node.
If SVI IP is same than AG IP (recommended for EVPN distributed-GW), then the recommendation is to ping from a unique loopback IP set-up on each VSX node.
Original Message:
Sent: Apr 11, 2024 03:09 AM
From: IanNightingale
Subject: Issue with a VSX Cluster
Hi, the mention of the additional command is only relevant to end devices using their default gateway and doesn't affect the behavior described in your original post. I mentioned in case it was a related issue you are seeing.
The command became available in a 10.10 version I think so if you are running an earlier version you won't see it.
My main point is that pinging from the CX switch running VSX active gateways will produce the result you see and it's by design. Pinging through the switch in both directions should work 100%.
Ian
Original Message:
Sent: 4/10/2024 1:56:00 PM
From: sfpit1202
Subject: RE: Issue with a VSX Cluster
I went into my SVI active-gateway, but the only options I see are l3-counters
Original Message:
Sent: Apr 09, 2024 03:21 AM
From: IanNightingale
Subject: Issue with a VSX Cluster
Hi, in a VSX cluster it is common in my environment that I can ping end devices from a particular member of the VSX pair. I've instructed operational staff to "try from both members". There are some logic rules around packets destined for an active-gateway on a member flowing through a different one.
So if a ping initiated from member A goes to end device, the reply (because of LACP load balancing) heads towards member B, it is dropped because the rule doesn't permit forwarding from B to A. I guess this prevents a loop?
This scenario only affects VSX member initiated traffic. If you have issues with end devices using their default gateway (which is an active-gateway) ensure the command active-gateway l3-src-mac
is adding to each SVI. I do this for every SVI. It changes the source MAC of the active gateway to the shared one. It prevents a black hole situation in some devices that don't handle ARP well (e.g. they have a change of where the active member they connect to but retain the original VSX member's hardware MAC in ARP table).
Original Message:
Sent: Apr 08, 2024 09:05 PM
From: sfpit1202
Subject: Issue with a VSX Cluster
I have a VSX Cluster that has been running with no issues. Recently I noticed one VLAN is not working the way it should be. The upper switch in the cluster works fine. It has a VLAN on it and I can ping all devices to and from the top switch. I am having an issue with the lower switch in the cluster. The VLAN that I can ping to and from on the upper switch, I can only ping the active gateway on the upper switch and nothing else.
Does this sound like something anyone else has seen before?