Re: [FW-1] backup interface wouldn't keep quite.

[BillO]

I have seen various problems with the Cisco switches and vrrp/monitored circuit before.  You might want to check the Nokia page,but I believe there was a setting like   set port channel "port list" off   this alleviated some issues related to how long convergence took.    one other thing i can think of is if you are using the same router id for more than one nokia interface and using the same switches "on different vlans" you may have a mac related problem where the switch is getting confused on where to send the packet and either dropping it or sending it to the wrong interface.   you could also look at the vrrp statistics for the various interfaces in question and see if you are clocking errors.  maybe some of the vrrp packets are getting mangled when they are sent or in transit and this happens enough that the backup occasionally misses enough packets and will switch to master. ----- Original Message ----- From: Mike Lee To: [EMAIL PROTECTED] Sent: Monday, May 13, 2002 5:13 AM Subject: [FW-1] backup interface wouldn't keep quite. Hi,   Firewall 4.1, Nokia 440, IPSO 3.2.1-fcs1, running VRRP on outside, inside, dmz interfaces.   Symptom: Regularly, the backup firewall's outside interface changes its state to Master, even though Primary is functioning fine.  Causing slowness in Internet Access.   What i find from TCPDUMP is that primary sends VRRP multicast message out every 1 second.  What's odd is that every once in a while, i see Backup sends out one VRRP message.  This causes significant delay in our Internet Access.   At the firewall side, VRRP config looks identical to the Nokia's document on how to setup one.  I do have policies to allow vrrp traffics.   All the interfaces go to pair of Cisco 4000 switches with various VLANS.  First 2 ports of the switches are configured with VLAN trunking.   Originally, firewall's inside and dmz interfaces were connected to Cisco4000 switch with its own VLAN.  Outside interfaces of the firewall were originally connected to Cisco2900 before and we moved them to Cisco4000 switch with its own VLAN.   First I thought it was the switch's VLAN trunking config, but I doubt it is that.  If it was the VLAN trunk issue, then i would see the same behavior with inside and dmz interfaces too...     any thoughts??   thanks,   Mike