VRRP TROUBLESHOOTING - STANDARD OPERATING PROCEDURE

Knowledge Base Article

Document ID: RATIS-KB-VRRP-001
Version: 1.0
Last Updated: June 12, 2026
Platform: Juniper Networks (MX, SRX, EX Series)
Status: Production

1. OVERVIEW

Virtual Router Redundancy Protocol (VRRP) provides automatic failover capability for critical network services. This SOP provides step-by-step troubleshooting guidance and log collection procedures for resolving VRRP-related issues on Juniper devices.

1.1 Objective

• Identify VRRP operational issues quickly
• Collect comprehensive diagnostic information
• Resolve common VRRP problems
• Provide escalation path for complex issues

1.2 Scope

This document covers: - VRRP v2 and VRRP v3 issues - Single and multi-group VRRP configurations - Active-backup failover scenarios - All Juniper routing platforms (MX, SRX, EX, vMX)

2. COMMON VRRP SYMPTOMS & ISSUES

3. PREREQUISITES FOR TROUBLESHOOTING

Before starting troubleshooting, ensure you have:

• Access to both VRRP routers (primary and backup)
• CLI access to Juniper devices with proper credentials
• Network connectivity to management interfaces
• Documentation of expected VRRP configuration
• Baseline understanding of VRRP priorities and timers
• Permission to enable packet captures if needed
• Storage for log files (at least 100MB free space)

4. INITIAL DIAGNOSTIC STEPS

Step 1: Verify VRRP Group Status

Command:

show vrrp brief
show vrrp detail

Expected Output for Master:

Interface     Group  Priority  PreemptDelay   State   Master IP/Addr
ge-0/0/0.0    1      100       0             Master  192.168.1.1

Expected Output for Backup:

Interface     Group  Priority  PreemptDelay   State   Master IP/Addr
ge-0/0/0.0    1      90        0             Backup  192.168.1.1

What to Look For: - ✓ Master and Backup role assignments correct - ✓ Priorities match configuration - ✓ Master IP shows correct virtual IP address - ✗ State shows “Initialize” (configuration issue) - ✗ State shows “Disabled” (VRRP not running)

Step 2: Check Interface Status

Command:

show interfaces ge-0/0/0.0 terse
show interfaces ge-0/0/0.0 detail

Verify: - ✓ Interface status is “Up” - ✓ Physical link status is “Up” - ✓ Unit (logical interface) is “Up” - ✗ Interface is “Down” or “Disabled” - ✗ Link is “Down”

Step 3: Verify VRRP Configuration

Command:

show configuration interfaces ge-0/0/0.0 unit 0
show configuration | display set | grep vrrp

Check for:

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.2/24
set interfaces ge-0/0/0 unit 0 family inet vrrp-group 1 virtual-address 192.168.1.1
set interfaces ge-0/0/0 unit 0 family inet vrrp-group 1 priority 100
set interfaces ge-0/0/0 unit 0 family inet vrrp-group 1 authentication-type md5
set interfaces ge-0/0/0 unit 0 family inet vrrp-group 1 authentication-key "$9$encrypted_key"

Step 4: Check VRRP Counters and Statistics

Command:

show vrrp statistics
show vrrp detail ge-0/0/0.0 group 1

Key Metrics: - Advertisement packets sent/received: Should increase over time - Authentication failures: Should be zero for matched configs - Master to Backup transitions: Should be minimal - Master transitions: High count = instability

Interpret Results: - ✓ Advertisement Rx/Tx increasing steadily = Normal operation - ✗ Advertisement Rx = 0 = No packets from peer - ✗ Authentication Failures > 0 = Password/key mismatch

5. STEP-BY-STEP TROUBLESHOOTING WORKFLOW

SCENARIO 1: Failover Not Working

Step 1.1: Verify Primary Interface is Up

show interfaces terse | match ge-0/0/0.0

Step 1.2: Check VRRP Status on Both Routers

show vrrp brief ge-0/0/0.0

Step 1.3: Verify Priority Ordering

show configuration interfaces ge-0/0/0.0 unit 0 | grep priority

• Ensure: Primary Priority > Secondary Priority (e.g., 100 > 90)
• If reversed, update configuration

Step 1.4: Check Preemption Setting

show configuration interfaces ge-0/0/0.0 unit 0 | grep -i preempt

Step 1.5: Test Failover (Lab/Controlled)

request routing-options graceful-restart (on primary)
show vrrp brief (verify secondary becomes Master)

Step 1.6: Verify Traffic After Failover

ping <virtual-ip>
ping <next-hop-address>

SCENARIO 2: Both Routers Showing Master Status

Critical: This is a Split-Brain Condition

Step 2.1: Stop VRRP on Primary (Temporary Fix)

deactivate interfaces ge-0/0/0 unit 0 family inet vrrp-group 1
commit

Step 2.2: Collect Detailed Logs Immediately

show vrrp detail > vrrp_split_brain.log
show interfaces ge-0/0/0.0 detail > interface_status.log
show log messages | last 100 > system_log.log

Step 2.3: Identify Root Cause Check for: - Mismatched virtual MAC addresses - Same priority on both routers: show configuration | grep priority - Network partition/connectivity issue: ping <peer-router> - Interface flapping: show log messages | match "Interface|VRRP"

Step 2.4: Correct Configuration - Ensure unique priorities (100 vs 90) - Verify authentication keys match: show configuration | grep auth - Check advertisement interval matches on both routers

SCENARIO 3: VRRP Flapping (Rapid Master/Backup Transitions)

Step 3.1: Check System Resources

show route summary
show system alarms
show chassis routing-engine

• High CPU usage can cause flapping
• Memory issues can trigger instability

Step 3.2: Verify Advertisement Interval

show vrrp detail | grep "Advertisement"
show configuration interfaces ge-0/0/0.0 unit 0 | grep "advertise-interval"

• Default: 1 second
• Minimum recommended: 1 second (adjust if network unstable)
• Check both routers match: show configuration | grep advertise-interval

Step 3.3: Check for Interface Flapping

show log messages | match "Interface|VRRP" | tail -50
show interfaces ge-0/0/0.0 diagnostics optics

• Look for interface link state changes
• Check optical signal levels if applicable

Step 3.4: Increase Advertisement Interval (if appropriate)

set interfaces ge-0/0/0 unit 0 family inet vrrp-group 1 advertise-interval 2
commit
show vrrp brief (verify stability)

Step 3.5: Check for Mismatched Timers

show vrrp detail ge-0/0/0.0 group 1

• Compare on both routers
• Advertisement intervals should match
• Down interval = 3.6 × advertisement-interval

SCENARIO 4: Virtual IP Not Responding

Step 4.1: Verify Virtual IP Configuration

show configuration interfaces ge-0/0/0.0 unit 0 | grep "vrrp\|virtual-address"

Step 4.2: Verify Master is Responding

ping 192.168.1.1 (virtual IP)
show arp | grep 192.168.1.1

Step 4.3: Check ARP Binding

show arp interface ge-0/0/0.0

• Virtual IP should have virtual MAC (XX:XX:XX:5E:01:01 for group 1)
• Physical IP should have physical MAC

Step 4.4: Verify Master Router is Forwarding

show route 0.0.0.0/0
show interfaces routing (on Master)

Step 4.5: Check Firewall/Filter Rules

show configuration firewall filter FILTER_NAME
show filter count FILTER_NAME

6. LOG COLLECTION PROCEDURE

6.1 Collecting Basic VRRP Logs (No Downtime Required)

Execute on BOTH primary and backup routers:

# Create timestamp for log files
set hostname | grep -i hostname

# Collect VRRP status information
show vrrp brief > vrrp_status_brief.txt
show vrrp detail > vrrp_status_detail.txt
show vrrp statistics > vrrp_statistics.txt

# Collect interface information
show interfaces terse | match vrrp-interface > interface_status.txt
show interfaces ge-0/0/0.0 detail > interface_detail.txt

# Collect configuration
show configuration interfaces ge-0/0/0.0 unit 0 > vrrp_configuration.txt
show configuration | display set | grep vrrp > vrrp_config_hierarchy.txt

# Collect ARP information
show arp | grep -E "192.168.1|virtual" > arp_table.txt

# Collect routing information
show route summary > route_summary.txt
show route table > route_table.txt

# Collect system information
show chassis routing-engine > routing_engine_status.txt
show system information > system_info.txt
show system alarms > system_alarms.txt

6.2 Collecting System Logs

Command:

show log messages | last 500 > system_messages.log
show log messages | match VRRP | last 100 > vrrp_messages.log
show log messages | match "Interface" | last 100 > interface_messages.log

Log File Location on Juniper:

/var/log/messages (system log)
/var/log/dtrace (dynamic trace logs)
/var/log/routing (routing protocol logs)

6.3 Enabling VRRP Debug Traces

WARNING: This increases CPU usage - use for active troubleshooting only

Step 1: Enable Debug Tracing

set interfaces ge-0/0/0 unit 0 family inet vrrp-group 1 track interface ge-0/0/1
request shell
# Inside shell:
tail -f /var/log/messages | grep -i vrrp

Step 2: Reproduce the Issue - Trigger failover or wait for flapping to occur - Allow 30-60 seconds of trace capture

Step 3: Collect Trace File

file copy /var/log/messages /var/tmp/vrrp_debug.log
show log messages | last 500 > /var/tmp/vrrp_debug_full.log

6.4 Packet Capture for Advanced Troubleshooting

When to Use: Authentication failures, missing advertisements, split-brain conditions

Steps:

# Start packet capture on VRRP interface
request packet-capture interface ge-0/0/0.0 count 100 file /var/tmp/vrrp_capture.pcap filter "proto 112"

# Alternative: Capture VRRP advertisements
request packet-capture interface ge-0/0/0.0 count 200 file /var/tmp/vrrp_packets.pcap filter "(dst 224.0.0.18 or proto 112)"

# Wait for packets to be captured (30-60 seconds)

# Stop capture (Ctrl+C) or wait for count to be reached

# Save capture file
file copy /var/tmp/vrrp_capture.pcap /var/tmp/vrrp_capture_backup.pcap

# Retrieve file to your workstation using SCP or SFTP

Analyze with Wireshark: - Filter: vrrp or proto == 112 - Look for VRRP advertisements - Check authentication data - Verify priority values

7. DIAGNOSTIC COMMANDS REFERENCE

View Current VRRP Status

show vrrp brief
show vrrp detail [interface]
show vrrp statistics [interface]

Check Configuration

show configuration interfaces ge-0/0/0.0 unit 0 | grep vrrp
show configuration | display set | grep vrrp

Verify Timers

show vrrp detail | grep -E "Priority|Advertisement|Interval"

Monitor Real-time

monitor interface ge-0/0/0.0
monitor traffic interface ge-0/0/0.0

Check for Errors/Issues

show interfaces diagnostics optics ge-0/0/0
show interfaces errors ge-0/0/0.0
show log messages | match VRRP

Validate Connectivity

ping 192.168.1.1 (virtual IP)
ping 192.168.1.2 (primary physical IP)
traceroute 192.168.1.1

Check Master/Backup State Transitions

show log messages | match "VRRP_STATE_CHANGE"
show vrrp detail | grep -E "State|Master"

8. COMMON ROOT CAUSES & SOLUTIONS

9. ESCALATION CRITERIA

Escalate to JTAC if:

1. Persistent split-brain condition after applying fixes
2. Both routers showing Master state despite no network partition
3. VRRP flapping continues after increasing timers
4. Authentication failures despite matching keys
5. Virtual IP completely unreachable from network
6. Multiple VRRP groups failing simultaneously
7. High CPU usage (>80%) caused by VRRP
8. Packet loss observed in VRRP advertisement capture
9. Issue affects critical production services

Provide JTAC with: - All logs from Section 6 (Log Collection) - Packet capture files (if available) - Configuration files from both routers - Timeline of when issue started - Any recent changes to network or configuration

10. CONFIGURATION VERIFICATION CHECKLIST

Before Declaring VRRP Operational:

• ☐ Both routers showing correct Master/Backup roles
• ☐ Virtual IP reachable from network
• ☐ Priority values unique (primary > backup)
• ☐ Advertisement intervals match on both routers
• ☐ Authentication keys match (if authentication enabled)
• ☐ Preemption settings correct
• ☐ Interfaces in “Up” state
• ☐ No VRRP errors in system logs
• ☐ VRRP counters incrementing properly
• ☐ Failover tested successfully (in lab/maintenance window)
• ☐ No split-brain conditions observed
• ☐ ARP table showing correct MAC for virtual IP

11. REFERENCE DOCUMENTATION

Juniper Technical Publications: - VRRP Technical Documentation - Juniper MX/SRX Configuration Guide - VRRP Best Practices Guide

External References: - RFC 5798 (VRRP v3) - RFC 3768 (VRRP v2)

Related Procedures: - Interface Troubleshooting SOP - Network Connectivity Verification - System Performance Baseline

12. DOCUMENT HISTORY

For Support: Contact Network Operations Center or JTAC
Document Owner: Race Ahead IT Solutions
Last Reviewed: June 12, 2026