I have configured VRRP between two Juniper MX and I want to ping all three addresses (virtual ip, physical, physical) from the OUTSIDE of my network.
From the inside I can ping all three and everything works fine.From the outside, I can only ping two of the addresses:*the virtual ip*and the address of the router where the EBGP traffic enters my network
If I steer the traffic via BGP MED to router2, then the router2 physical ip will become reachable and router1 physical ip will stop responding to ping.
Is that normal?Why can't the the routers reach each other on the vrrp interface?
i'd think of some broken routing and/or rpf. For example if you're not announcing the route to your provider on the inactive router, the provider might be filtering traffic coming from you because of RPF.
run traceroute to the IP to see where the traffic to the (inactive router) IP goes and where it stops answerring,
check on the last hop that is answerring that the route TO your inactive router is correct,
then check the reverse path: where is the route to your OUTSIDE ip (from where you are pinging) pointing to? what kind of devices are there, who owns them? can you traceroute from the inactive device to the outside? Whats the path?
come back with these details if that steps don't enlighten you by yourself.
let me say first that VRRP works correctly and everything is online. This is just a cosmetic issue (not being able to ping all three addresses from the outside) that sparked my curiosity.
By default the route from router1 to the vrrp physical address of router2 will point downstream to my switches. In that case I can observe the behaviour described in my first post (only 2 of 3 addresses can be reached from the outside). If I configure the following:
set routing-options interface-routes family inet export point-to-point lan
on both routers then I can ping all three addresses from the outside. This is because the interface routes will export via ibgp from router1 to router2 and vice versa. With this option the route from router1 to the vrrp physical address of router2 will point to the IBGP link between the two routers and I can ping all three addresses.
I just don't understand why I need to export interface-routes in routing-options for this to work - technically router1 should be able to reach router2 by sending my ping packet downstream to my switch and then it should go through the broadcast domain on the switch up to router2.
Do you have accept-data statement included in the configuration?
It would be helpful if you share the relevant config from your routers.