HSRP problem

royalblues · ‎02-01-2007

Attached is a topology in one of our offices.

The network was running fine till today where my HSRP failed for a pair of routers and produced the following logs

2/1/2007 10:45 Local1.Warning 172.16.102.31 1407: 19w4d: %HSRP-4-DIFFVIP1: FastEthernet0/0 Grp 1 active routers virtual IP address 169.191.135.1 is different to the locally configured address 172.16.102.30

2/1/2007 10:24 Local7.Error 172.16.102.32 2161: 35w0d: %AMDP2_FE-3-RXOVERFLO: FastEthernet0/0 Rx FIFO Overflow

2/1/2007 10:45 Local7.Info 172.16.102.32 2163: 35w0d: %HSRP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak

2/1/2007 10:45 Local7.Warning 172.16.102.32 2164: 35w0d: %HSRP-4-DIFFVIP1: FastEthernet0/0 Grp 1 active routers virtual

2/1/2007 10:45 Local7.Warning 172.16.102.32 2165: IP address 169.191.135.1 is different to the locally configured

2/1/2007 10:45 Local7.Warning 172.16.102.32 2166: address 172.16.102.30

2/1/2007 10:46 Local7.Warning 172.16.102.32 2167: 35w0d: %HSRP-4-DIFFVIP1: FastEthernet0/0 Grp 1 active routers virtual

2/1/2007 10:46 Local7.Warning 172.16.102.32 2168: IP address 169.191.135.1 is different to the locally configured

2/1/2007 10:46 Local7.Warning 172.16.102.32 2169: address 172.16.102.30

Would like to know whether using the same group number was the culprit.

The reason why i am puzzled is because the network was running fine since its implementation for the past 6 months

Narayan

Anand Narayana · ‎02-01-2007

Hi Narayan,

juz go to command lookup tool, which will give you a clear explanation, rather than me juz copying it & pasting it.

just type the error message one by one, it will give clear picture about the probs.

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

you need to login

royalblues · ‎02-01-2007

Anand,

I had done that. THe network as you see is a total flat network and hence does not invlove any loops and hence i am a little confused.

Narayan

kwesiarmah · ‎08-12-2016

I had similar issue but it was glbp and found out that, there interface ip address range was different from the gateway. Immediately I changed the gateway to the right ip it worked.

EDT: %GLBP-4-DIFFVIP1: VlanXXXX Grp XXX active routers virtual -IP address 10.X.X.1 is different to the locally configured address 10.X.X.1

rdessert · ‎02-01-2007

I believe you should use different HSRP group numbers for each network. HSRP doesn't like that a VIP is on a different network.

2/1/2007 10:45 Local1.Warning 172.16.102.31 1407: 19w4d: %HSRP-4-DIFFVIP1: FastEthernet0/0 Grp 1 active routers virtual IP address 169.191.135.1 is different to the locally configured address 172.16.102.30

If you sent the HSRP interface configs, that would help.

royalblues · ‎02-01-2007

The routers conencting to MPLS are in the 172.16.102.0 subnet - VLAN 1 and the routers connecting to Tigers client is in 169.191.135.0 subnet which is vlan 9.

Here is what i would like to know..

Now HSRP sends it hello packets to the address 224.0.0.2. So does the hello sent by the routers in VLAN 9 ia also received by routers in VLAN 1.

Since the entire setup was working fine, i am still wondering how did this hello leak to the other VLAN. This actually brought the network down.

Here is the relevant HSRP config of the routers

MPLS routers

R1

interface FastEthernet0/0

ip address 172.16.102.32 255.255.254.0

no ip redirects

no ip proxy-arp

speed 100

full-duplex

no cdp enable

standby 1 ip 172.16.102.30

standby 1 priority 100

standby 1 preempt

standby 1 track FastEthernet0/1

interface FastEthernet0/0

ip address 172.16.102.31 255.255.254.0

no ip redirects

no ip proxy-arp

speed 100

full-duplex

no cdp enable

standby 1 ip 172.16.102.30

standby 1 priority 100

standby 1 preempt

standby 1 track FastEthernet0/1

Tiger client routers

interface FastEthernet0/0

ip address 169.191.135.2 255.255.255.0

no ip redirects

no ip proxy-arp

speed 100

full-duplex

no cdp enable

standby 1 ip 169.191.135.1

standby 1 priority 100

standby 1 preempt

standby 1 track serial 0/0

interface FastEthernet0/0

ip address 169.191.135.3 255.255.255.0

no ip redirects

no ip proxy-arp

speed 100

full-duplex

no cdp enable

standby 1 ip 169.191.135.1

standby 1 priority 100

standby 1 preempt

standby 1 track serial 0/0

MPLS routers are connected to switch ports in VLAN1 and tigers routers are connected to VLAN9

Narayan

juankarlo · ‎10-17-2008

I'm not sure if you have found the issue. We had the same problem in our network. What happened to us is that two ports on different VLANS were connected to a hub.

Both VLANS became unavailable because both layer 3 switches went crazy on deciding who would have the VIP.

Now, since that can happen again very easily I want to find out how to avoid that a connection like this could bring the network down. What I would like is that the ports involved in a situation like this to be blocked.

Could that be possible?

Regards,

-Juan Karlo

Giuseppe Larosa · ‎10-18-2008

Hello Juan,

I think that using HSRP authentication with different key in each group/Vlan could help to make each router discard unwanted packets they should be ignored before discussing about the VIP address.

One thing to be checked is that if there are switch ports not hardcoded to be access ports (switchport mode access) they can negotiate a trunk and make to communicate two vlans if they have a native vlan mismatch.

We had a case like this in our DMZ.

Hope to help

Giuseppe

venom43212 · ‎10-21-2008

Your priority is set to 100 (default) on both interfaces in both groups and you have it set to preempt. While I don't know if this was the cause of your problem, there have been cases where this can cause unpredictable behavior having the priorities the same and there is a problem determining who is active and who is stanby. Raise the priority to 110 on one of the interfaces on each router.