Unanswered Question
May 3rd, 2007

Dual Cisco2821's with Dual ISA Servers on a DMZ.

ISA uses virtual IP's. Want redundant Static NAT's trhu single virtual from ISA but on BOTH Cisco2821's for fail-over.

Get duplicat IP in logs.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gmarogi Wed, 05/09/2007 - 07:05

The error messages do not necessarily indicate an HSRP problem. Rather,the error messages indicate a possible Spanning Tree Protocol (STP) loop or router/switch configuration issue. The error messages are just symptoms of another problem.

Kindly send the error messages logged for an accurate analysis

bob.forster Wed, 05/09/2007 - 14:01

Dual ISA Boxes using NLBS into DMZ on Cisco2821's.

Using HWIC-4ESW's in each 2821.

2 ports for HSRP and ISA DMZ

2 ports for HSRP and Internet Access

I have static NAT with 3 x IP's (using SNAT as per TAC).

The three static NAT IP's start showing up as duplicate IP's on both th Cisco2821 logs.



bob.forster Wed, 05/09/2007 - 17:03

Here is a Visio plus the 2 x configs.

** Please keep confidential **



Log file

Log Buffer (20000 bytes):

*May 9 17:35:31.691: %IP-4-DUPADDR: Duplicate address on Vlan5, sourced by 001b.533b.0ec0

*May 9 17:36:01.691: %IP-4-DUPADDR: Duplicate address on Vlan5, sourced by 001b.533b.0ec0

*May 9 17:45:01.714: %IP-4-DUPADDR: Duplicate address on Vlan5, sourced by 001b.533b.0ec0

*May 9 17:48:31.724: %IP-4-DUPADDR: Duplicate address on Vlan5, sourced by 001b.533b.0ec0

Paolo Bevilacqua Thu, 05/10/2007 - 13:39


Unfortunately I cannot visualize the visio file.

Anyway, the thing is that you cannot have the same public address configured on both routers for the same sources. Even if HSRP is supposed to get traffic to one router only at time, packet can be emitted sent from ISA to the other router too, arp propagate and the conflict is detected. It may work fine and you can live with the error log, but I would recommend that you check you nic teaming to work in bridge mode to the router / switchs, so that one link is kept down all the time.

That should make packets go to one router only - the hsrp active.

Hope this helps, please rate post if it does!


This Discussion