Re: VSS on Cisco 4503E isn't working properly

Mahmoud.Reda · ‎07-14-2022

Hi All ,

We have two Cisco 4503E core switches in our network and VSS is configured between them but it isn't work properly or something is wrong in the connection/configuration. internet and vpn are not stable for some users (there are a lot of packet loss, as if the successful ping packets are passing through the active core switch and the failed packets are passing through the standby core switch) so I shutdown the ports in the standby core switch and then there are no packet loss. the Cisco switch ports between the two firewall and the two core switches are configured with Switchport mode access and Switchport access vlan 30 only. I tried to add spanning-tree link-type point-to-point command to these ports but it makes no difference.

Are there any issue in the connection ? how to verify that the VSS configuration is correct and how to test the failover scenarios ?

N.B: there is a HA between the two firewalls. and they are working in Active standby mode.

N.B: Edge Switches are connected to the two core switches. and some services like voice gateway is connected to the active core switch only.

another question : the firmware on these core switches are old and I need to update it. should i break the vss since it isn't working and update both core switches then re-build the VSS configuration again ?

I attached 2 files to the post. The current design is the current connection which isn't working . I need to make it work with this design then later I think the diagram in better design photo will guarantee high availability , right ?

appreciate your kind help and support. please feel free to ask for any commands output.

balaji.bandi · ‎07-14-2022

First you need to fix the exiting problem, before you introduce any other improvements.

I have not see any issue with VSS the one mentioned problems - we need to Look at the config and nonstop forwarding config of VSS

Look at the high level best practice :

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/VSS30dg/campusVSS_DG/VSS-dg_appa-configs.html

On the other hand on the new design - why do you need another switch between CORe and FW ? is this future you thinking Stacking switch ?

EDIT : some testings :

https://www.cisco.com/c/dam/global/da_dk/assets/docs/presentations/VSS_0109.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mahmoud.Reda · ‎07-15-2022

Thank you @balaji.bandi for your reply. I think of additional switch in the future for high availability and to avoid single point of failure in case the single switch have any issue. please let me know which configuration you need to look at so I can post it.

Thanks for your links. I will go through them.

your kind help is much appreciated .

Reza Sharifi · ‎07-14-2022

Hi,

I attached 2 files to the post. The current design is the current connection which isn't working . I need to make it work with this design then later I think the diagram in better design photo will guarantee high availability , right ?

The "Current Design" you have posted should work just fine if everything is configured correctly. There is really no need for "Better Design" with extra connections between the firewalls and the core switches.

another question : the firmware on these core switches are old and I need to update it. should i break the vss since it isn't working and update both core switches then re-build the VSS configuration again ?

I recommend you upgrade to your desired IOS before moving forward. To check and make sure VSS is working as expected, you can use " sh switch?" with a variety of options including the VSL and DAD link. You can also use "show redundancy" to look at the current VSS status.

HTH

Mahmoud.Reda · ‎07-15-2022

Thank you @Reza Sharifi for your reply. I thought the other design will be better to avoid one switch as a single point of failure.
could you please advise how to make sure that VSS is working as expected. Which commands should I use and what should I expect in the command outputs to confirm that it is working fine.
Here is the current firmware and output for show virtual redundancy

Switch#sh switch virtual redundancy

Executing the command on VSS member switch role = VSS Active, id = 1

My Switch Id = 1
Peer Switch Id = 2
Last switchover reason = none
Configured Redundancy Mode = Stateful Switchover
Operating Redundancy Mode = Stateful Switchover

Switch 1 Slot 1 Processor Information :
-----------------------------------------------
Current Software state = ACTIVE
Image Version = Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500es8-UNIVERSAL-M), Version 15.2(3)E2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 21-Jul-15 22:39 by prod_rel_team
BOOT = bootflash:cat4500es8-universal.SPA.03.07.02.E.152-3.E2.bin,1;
Configuration register = 0x2102
Fabric State = ACTIVE
Control Plane State = ACTIVE

Switch 2 Slot 1 Processor Information :
-----------------------------------------------
Current Software state = STANDBY HOT (switchover target)
Image Version = Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500es8-UNIVERSAL-M), Version 15.2(3)E2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 21-Jul-15 22:39 by pr
BOOT = bootflash:cat4500es8-universal.SPA.03.07.02.E.152-3.E2.bin,1;
Configuration register = 0x2102
Fabric State = ACTIVE
Control Plane State = STANDBY

Executing the command on VSS member switch role = VSS Standby, id = 2

show virtual switch redundancy is not supported on the standby

and Here is firmware version :

Switch#sh version
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500es8-UNIVERSAL-M), Version 03.07.02.E RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Tue 21-Jul-15 22:39 by prod_rel_team

Cisco IOS-XE software, Copyright (c) 2005-2015 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.
(http://www.gnu.org/licenses/gpl-2.0.html) For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: 15.1(1r)SG5
Switch uptime is 18 weeks, 2 days, 14 hours, 21 minutes
Uptime for this control processor is 18 weeks, 2 days, 14 hours, 23 minutes
System returned to ROM by reload
System image file is "bootflash:cat4500es8-universal.SPA.03.07.02.E.152-3.E2.bin"
Jawa Revision 3, RadTrooper Revision 0x0.0x41, Conan Revision 0x1B9E

Last reload reason: Reload command

License Information for 'WS-X45-SUP8-E'
License Level: ipbase Type: Permanent Right-To-Use
Next reboot license Level: ipbase

cisco WS-C4503-E (P5040) processor (revision 2) with 4194304K bytes of physical memory.
Processor board ID SPE122401CE
P5040 CPU at 2.2GHz, Supervisor 8-E
Last reset from Reload
14 Virtual Ethernet interfaces
96 Gigabit Ethernet interfaces
40 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102

Thank you for your help and support.

Reza Sharifi · ‎07-15-2022

Hi,

Overall, the VSS seems to be configured correctly. What is important are these 2 lines:

Current Software state = ACTIVE

Current Software state = STANDBY HOT (switchover target)

Which are correct.

Also, can you post the output of the following commands?

sh switch virtual link

sh switch virtual dual-active summary

HTH

Mahmoud.Reda · ‎07-15-2022

Here are the commands outputs:

Switch#sh switch virtual link

Executing the command on VSS member switch role = VSS Active, id = 1

VSL Status : UP
VSL Uptime : 14 weeks, 5 hours, 23 minutes
VSL Control Link : Te1/1/1
VSL Encryption : Configured Mode - Off, Operational Mode - Off

Executing the command on VSS member switch role = VSS Standby, id = 2

VSL Status : UP
VSL Uptime : 14 weeks, 5 hours, 21 minutes
VSL Control Link : Te2/1/1
VSL Encryption : Configured Mode - Off, Operational Mode - Off

Switch#sh switch virtual dual
Switch#sh switch virtual dual-active summary

Executing the command on VSS member switch role = VSS Active, id = 1

Pagp dual-active detection enabled: Yes
FastHello dual-active detection enabled: Yes
In dual-active recovery mode: No

Executing the command on VSS member switch role = VSS Standby, id = 2

Pagp dual-active detection enabled: Yes
FastHello dual-active detection enabled: Yes
In dual-active recovery mode: No

Switch#

Reza Sharifi · ‎07-15-2022

VSS looks good to me. From the output you posted, I don't see any issues here.

HTH

MHM Cisco World · ‎07-14-2022

OK,
the Core is config as GW for client,
BUT
the Core need point only to Active FW not standby.
so since you run VSS you and there is VLAN between the Core VSS and Inside of FW then only config static route toward active and that it.

if you want to load balance between two FW then make it Active/Active and split your client VLAN some will forward to FW1 and other will forward to FW2.

I think no issue here with Core the issue is in routing toward FW.

Mahmoud.Reda · ‎07-15-2022

Thank you @MHM Cisco World for you reply. I forget to mention something (I don't know if it will make difference or not ) . we have an additional data center firewall (not included in the diagram) . some vlans have the data center firewall as their gateway. when I trace route from these vlans to 8.8.8.8 , it goes to core switch then data center firewall then the edge firewall then internet .

you are saying to config static route toward active FW. but actually both Firewalls have the same IP since they are configured as HA.

MHM Cisco World · ‎07-15-2022

I have little knowledge on fortigate,

But FW HA both in same subnet but not have same ip,

The ip will change when fialover process start after failed of active fw.

Here i think you have two mac address for same ip.

Check this point.

Doing traceroute not help becuase you get same ip as next hop, but monitor mac address table will help you.

MHM Cisco World · ‎07-15-2022

the only case the FW have same IP (VIP) is config it as cluster, but you mention the FW is active/standby?

Mahmoud.Reda · ‎07-15-2022

The Fortigate HA is configured as a Cluster and its mode is Active-Passive

https://docs.fortinet.com/document/fortigate/6.0.0/fortinet-communication-ports-and-protocols/564712/fgcp-fortigate-clustering-protocol

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/900885/ha-active-passive-cluster-setup

Leo Laohoo · ‎07-16-2022

Wow. IOS-XE version 3.7.2.
Brave.

Mahmoud.Reda · ‎07-19-2022

@Leo LaohooWhat do you recommend ?