Re: Primary vPC member fails - Secondary member not passing traffic

Dennis Topo Jr · ‎01-19-2024

Hello all...

wondering if anybody can tell me why this is happening in my Nexus 9k lab environment. (CML)

When I fail (shutdown) the primary NK9 (1 in this case) - the secondary assumes operational status but does not pass any traffic. HSRP is configured between the pair for gateway redundancy - which is also failing over as intended but clients can NOT ping the virtual gateway..or the actual interface gateway. I even lose the L2 management link (bridged to my PC nic) to all but the sw-1 which it is terminated to - vlan 2 svi.

It's odd because the port channel interfaces\vpcs are up and active at both access switches.

Spanning tree is not blocking anything as intended - I'm using the vpc peer-switch command which makes both NK9s appear to be the root bridge

I am using private vlans but that is working perfectly when the primary is up. AND, the aforementioned management link is a normal vlan (vlan2) anyway.

I've posted some of the pertinent config below if you don't mind taking a look and see what I am missing possibly !! Thanks!

Also attached a screen shot of the lab topology *************************************************

On NK9-2 (secondary) **************************** Primary is configured similar - no mistakes that I can see -

rf context keepalive
vrf context management
vpc domain 1
peer-switch
peer-keepalive destination 172.16.1.1 source 172.16.1.2 vrf keepalive

interface Vlan4
description "Gateway interface w HSRP and vPC"
no shutdown
private-vlan mapping 10,20,30
ip address 172.16.2.2/24
hsrp 4
timers 1 3
ip 172.16.2.254

interface port-channel1
switchport mode trunk
switchport trunk native vlan 101
switchport trunk allowed vlan 2-100,102-4094
spanning-tree port type network
vpc peer-link

interface port-channel11
description "link to sw-1"
switchport mode trunk
switchport trunk native vlan 101
switchport trunk allowed vlan 2,4-100,102-4094
vpc 11

interface port-channel12
description "Link to sw-2"
switchport mode trunk
switchport trunk native vlan 101
switchport trunk allowed vlan 2,4-100,102-4094
vpc 12

interface port-channel13
description "Link to CSR-1"
switchport access vlan 3
vpc 13

interface Ethernet1/1
description "keep alive link"
no switchport
vrf member keepalive
ip address 172.16.1.2/30
no shutdown

****************************************** vPC ********************

nk9-2# show vpc
Legend:
(*) - local vPC is down, forwarding via vPC peer-link

vPC domain id : 1
Peer status : peer link is down
vPC keep-alive status : Suspended (Destination IP not reachable)
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 consistency status : success
vPC role : secondary, operational primary
Number of vPCs configured : 3
Peer Gateway : Disabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
Delay-restore Orphan-port status : Timer is off.(timeout = 0s)
Operational Layer3 Peer-router : Disabled
Virtual-peerlink mode : Disabled

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ -------------------------------------------------
1 Po1 down -

vPC status
----------------------------------------------------------------------------
Id Port Status Consistency Reason Active vlans
-- ------------ ------ ----------- ------ ---------------
11 Po11 up success success 2,4,10,20,30
12 Po12 up success success 2,4,10,20,30
13 Po13 up success success 3

*********************************************************** HSRP ************

k9-2# show hsrp
Vlan4 - Group 4 (HSRP-V1) (IPv4)
Local state is Active, priority 100 (Cfged 100)
Forwarding threshold(for vPC), lower: 0 upper: 100
Hellotime 1 sec, holdtime 3 sec
Next hello sent in 0.325000 sec(s)
Virtual IP address is 172.16.2.254 (Cfged)
Active router is local
Standby router is unknown
Authentication text "cisco"
Virtual mac address is 0000.0c07.ac04 (Default MAC)
5 state changes, last state change 00:52:11
IP redundancy name is hsrp-Vlan4-4 (default)

******************************************************** Spanning tree - other vlans similar - root bridge - ports in forward state

VLAN0002
Spanning tree enabled protocol rstp
Root ID Priority 32770
Address 0023.04ee.be01
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address 0023.04ee.be01
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po11 Desg FWD 1 128.4106 (vPC) P2p
Po12 Desg FWD 1 128.4107 (vPC) P2p

Dennis Topo Jr · ‎01-19-2024

Actually - adding to the above - I did some captures on the uplinks from the access switches to the 2nd NK9 - and arp requests are not making it across the port-channel links. I ran pings from one of the virtual client servers (private vlan) to the nk9-2 vlan 4 interface ip, and from my pc across the management link to the vlan2 interface on the N9k-2. Why would that be???

Dennis Topo Jr · ‎01-20-2024

I've modified the vpc config - looks like this now - adding arp sync - peer gateway and auto recover. No change... It's the 2nd NK9 - it passes no traffic - if you take down the links to NK1- its the same effect- clients cannot ping anywhere, despite the port channels\vpcs to the access switches staying up with the remaining member links. Any link to NK92 does not work.

vpc domain 1
peer-switch
peer-keepalive destination 172.16.1.2 source 172.16.1.1 vrf keepalive
peer-gateway
auto-recovery
ip arp synchronize