Cisco Cisco Web Security Appliance S670 Fehlerbehebungsanleitung
192.168.0.131 > 224.0.0.18: carp 192.168.0.131 > 224.0.0.18: CARPv2-advertise 36:
vhid=94 advbase=3 advskew=1 authlen=7 counter=15790098039517178284
13:49:22.651653 IP (tos 0x10, ttl 255, id 44741, offset 0, flags [DF],
proto VRRP (112), length 56)
192.168.0.131 > 224.0.0.18: carp 192.168.0.131 > 224.0.0.18: CARPv2-advertise 36:
vhid=94 advbase=3 advskew=1 authlen=7 counter=15790098039517178285
Problem Analysis
The WSA system logs that are provided in the previous section indicate that when the HA group becomes a
Master in the CARP negotiation, there is an advertisement that is received with a better priority.
Master in the CARP negotiation, there is an advertisement that is received with a better priority.
You can verify this also from the packet capture. This is the packet that is sent from the virtual WSA:
13:49:04.601713
IP (tos 0x10, ttl 255, id 4785, offset 0, flags [DF],
proto VRRP (112), length 56)
192.168.0.131 > 224.0.0.18: carp 192.168.0.131 > 224.0.0.18: CARPv2-advertise 36:
vhid=94 advbase=3 advskew=1 authlen=7 counter=15790098039517178283
In a milliseconds time-frame, you can see another set of packets from the same source IP address (the same
virtual WSA appliance):
virtual WSA appliance):
13:49:04.602798
IP (tos 0x10, ttl 255, id 4785, offset 0, flags [DF],
proto VRRP (112), length 56)
192.168.0.131 > 224.0.0.18: carp 192.168.0.131 > 224.0.0.18: CARPv2-advertise 36:
vhid=94 advbase=3 advskew=1 authlen=7 counter=15790098039517178283
13:49:04.602809
IP (tos 0x10, ttl 255, id 4785, offset 0, flags [DF],
proto VRRP (112), length 56)
192.168.0.131 > 224.0.0.18: carp 192.168.0.131 > 224.0.0.18: CARPv2-advertise 36:
vhid=94 advbase=3 advskew=1 authlen=7 counter=15790098039517178283
In this example, the source IP address of 192.168.0.131 is the IP address of the problematic virtual WSA. It
appears that the multicast packets are looped back to the virtual WSA.
appears that the multicast packets are looped back to the virtual WSA.
This issue occurs due to a defect on the VMware side, and the next section explains the steps that you must
complete in order to resolve the issue.
complete in order to resolve the issue.
Solution
Complete these steps in order to resolve this issue and stop the loop of multicast packets that are sent in the
VMware environment:
VMware environment:
Enable promiscuous mode on the Virtual Switch (vSwitch).
1.
Enable MAC Address changes.
2.
Enable Forged transmits.
3.
If multiple physical ports exist on the same vSwitch, then the Net.ReversePathFwdCheckPromisc
option must be enabled in order to work around a vSwitch bug where the multicast traffic loops back
to the host, which causes the CARP to not function with link states coalesced messages. (Refer to the
next section for additional information).
option must be enabled in order to work around a vSwitch bug where the multicast traffic loops back
to the host, which causes the CARP to not function with link states coalesced messages. (Refer to the
next section for additional information).
4.
Modify the Net.ReversePathFwdCheckPromisc Option
Complete these steps in order to modify the Net.ReversePathFwdCheckPromisc option: