Troubleshooting VRRP

This topic is to discuss the following lesson:

Hello Rene,

One quick Question if there is any mismatch in the authentication … in first place it should not forward packets at all ? we could see some packets are being forwarded … could you please explain.

Thanks
Shayan

Hi Shayan,
Believe it or not, what you are seeing is expected behavior from VRRP! If the authentication is not correct from a VRRP neighbor, then its packets get ignored. Each side will claim the other has incorrect authentication, so each VRRP router believes itself to be the master, and each will claim to own the IP address! The only upside to this is that assuming each side is using the same VRRP instance number, the MAC address will agree between them, so other computers on the network would have no idea this is going on. Additionally, should one of the VRRP mismatch routers fail, the VRRP IP will remain up–so you will achieve fault-tolerance by accident.

By the way, besides an authentication mismatch, the same thing will happen should the VRRP timers not match as well.

This goes to show you how useless authentication is with VRRP. The whole point of authentication is to stop a rogue device from claiming to be the virtual IP, but clearly it doesn’t matter.

Below is a sample VRRP output from two routers in this situation, notice how they disagree on the IP of the Master Router

R1#sh vrrp
FastEthernet0/0 - Group 1
  State is Master
  Virtual IP address is 10.0.0.254
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Authentication MD5, key-string
  Master Router is 10.0.0.252 (local), priority is 100
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec
R2#sh vrrp
FastEthernet0/0 - Group 1
  State is Master
  Virtual IP address is 10.0.0.254
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Master Router is 10.0.0.253 (local), priority is 100
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec

--Andrew

1 Like

Hello Andrew,

Thanks a lot for your detailed explanation on the vrrp authentication.

Regards!
Shayan

Let us assume authentication is proper & timers also. Suppose the VRRP keepalive messages are not able to reach each other due to any random reason, in that case both should be active & active.
So will they forward packets or not?

Hello Tejas

Yes, if that is the case, both devices will become active, and any packets arriving at a device will be forwarded. But, if for whatever reason the redundant gateways can’t reach each other, that means that hosts will also have trouble reaching one of the gateways for the same reason. Remember that redundant gateways and hosts are all on the same subnet. If communication between gateways somehow fails, then communication will also fail between hosts and one or more of the redundant gateways.

So in most cases, even if both gateways become active, the same network fault that caused the failure will also cause hosts not to reach one of the two or more gateways.

I hope this has been helpful!

Laz

1 Like