Use backup-stay-up only when there are no IP addresses defined at circuit level.
Various network connectivity issues, increased packet loss or performance degradation
Neighbor devices receive ARP responses for VRRP address from backup chassis
VRRP configuration includes the option backup-stay-up
IP addresses are configured both at circuit and VRRP level
With backup-stay-up, the VRRP addresses are active on both master and backup chassis. This option is typically used with Check Point VSX application. The purpose of this option is to keep entries related to the associated circuit in the routing table regardless of VRRP status. This allows for a fast re-convergence time upon VRRP failover.
This option is supposed to be used only when all IP addresses for the associated circuit are defined at VRRP level. Then VND driver blocks all outgoing communication on the circuit in backup mode (with the exception of LACP frames if the circuit is part of a group-interface).
If the circuit is configured with an IP address at circuit level, the VND driver cannot block the traffic and such configuration leads to undesirable behavior:
circuit inside device-name inside vap-group fw ip 192.168.10.2/24 192.168.10.255
In this invalid configuration, there is an IP address defined at circuit level together with a virtual-ip at VRRP level. Since backup-stay-up is configured too, the virtual-ip address will be always UP and the chassis will be actively responding to ARP requests, causing an unexpected Active-Active scenario.
backup-stay-up command should only be used in conjunction with VRRP addresses. This type of configuration is typical for Check Point VSX deployments.