HSRP problem

Unanswered Question
Jan 1st, 2008

I configured to cisco router to work in active/standby mode following is the config

router1:

standby 1 ip <VIP>

standby 1 priority 105

standby 1 preempt

standby 1 track Serial3/0:0

router2:

standby 1 ip <VIP>

standby 1 preempt

confguration is on f0/0 interface and the two routers are conected to the same firewall.

the problem is when i did a shutdowm to serial inteface the HSRP works fine (Active router become Standby )but I can't connect to internet??? attached a debug done when I shutdown serial interface.....

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ankbhasi Tue, 01/01/2008 - 23:13

Hi Friend,

The problem is not releated to HSRP I believe. Your router 2 is active now which means HSRP is working fine. I believe problem is related to routes.

Can you check the default gateway on your machines or firewall is pointing to VIP address configured on both the routers? Also does your router 2 has proper routes configured to reach internet and then back to your firewall?

Regards,

Ankur

mohammady Tue, 01/01/2008 - 23:25

the default route on the firewall is the virual IP address also I tested router connectivity to internet and it is ok.

ariesc_33 Wed, 01/02/2008 - 00:37

Hi,

Can you ping the internet using the ethernet interface as the source interface from the router? Also, can you ping the VIP and the ip address of the serial interface of your router from the firewall.

mohammady Wed, 01/02/2008 - 00:46

yes..no problem to connect to internet for the two routers..note that the problem occur only when I tried to do failover, I mean that no problem to connect to internet when the first router is active and second is standby with default route on firewall is VIP IP ,but when I shutdown the serial interface on the first router(active router)I cant connect to internet although the second router change their state from standby to active.

the second router connectivity to internet was tested and it is OK.

ariesc_33 Wed, 01/02/2008 - 00:56

If i understand it correctly, you setup should look like this

firewall| ----> Router 1 ---->>ISP

----> Router 2 ---->>

I you just pinged the internet by default it will use the serial interface (or interface that is directly connected to your ISP) as the source. Try extended ping and use FE or the VIP as the source address.

mohammady Wed, 01/02/2008 - 01:25

I do a ping to internet using FE as the source interface and the ping succeeded.

my connection is like following:

firewall -->router1 -->ISP

--> router2-->ISP

ankbhasi Wed, 01/02/2008 - 01:55

Hi Friend,

Is your individual router doing NAT for your traffic to go on internet or firewall?

Regards,

Ankur

ankbhasi Wed, 01/02/2008 - 02:34

Hi Friend,

Now that could be an issue. How have you configured your firewall to do a NAT Fallback?

By this I mean your firewall must be doing a NAT with active router serial interface ip or some ip which is allowed by your ISP 1 now when your active router which is router 1 goes down and standby router which is router 2 comes up how will your firewall come to know that now it has to start NAT with router 2 serial interface ip address or any ip address which is allowed by your ISP 2?

Can you please confirm if you have done some check on your firewall for the same?

Regards,

Ankur

andyskyview Wed, 01/02/2008 - 01:42

Hi mohammady

Could you do a traceroute on the pc, is it via different router when the primary router down. Also please post the running config of these routers and the show standby

Thanks

Andy

mohammady Wed, 01/02/2008 - 02:56

1-I change the default route on the firewall to be the second router IP(standby router)and I did a traceroute to yahoo IP.

2-when the default route on the firewall is VIP and the first router is active and second is standby traceroute is ok.

3-when the default route on the firewall is VIP and the first router is standby and second is active traceroute is not ok.??

what you suggest!!!!???

BALAJI RAJAN Wed, 01/02/2008 - 03:11

Do paste show IP route on both the routers.

In the first option you mentioned,

"1-I change the default route on the firewall to be the second router IP(standby router)and I did a traceroute to yahoo IP. " Check router-2 is sending traffic to Router-1 and then reaching to internet(Yahoo).

Mostly reverse route might not be abailable thr ISP thr links to both the routers. Check with ISP for backup route to the LAN public network through second router serial link.

ankbhasi Wed, 01/02/2008 - 03:13

Hi Friend,

I understood your problem but what I will like to know as you mentioned your firewall is doing NAT can you please update how will your firewall do the NAT with second router ip address when your primary router fails?

Can you update more on how you have configured NAT on your firewall?

Regards,

Ankur

BALAJI RAJAN Wed, 01/02/2008 - 03:07

This is not look like HSRP issue. Pls see the public IP address is routed from ISP thr both router links.. It might be due to reverse route issue from ISP.

mohammady Wed, 01/02/2008 - 03:32

but if this is the problem why things work properly when I changed the default route on the firewall to standby router IP not the virtual IP.

mohammady Mon, 01/07/2008 - 13:55

I tried to shutdown f0/0 interfarce on the active router the result was the first router change their state to 'init' and the backup router become active,but when I made a trace-route to real IP address from firewall the result was the trace goes to two hops only and stoped although when I made the same trace ( same real IP) from the router itself I can reach the destination without any problem..

Any suggestions????

nikhil.engineer Tue, 01/08/2008 - 04:33

Hi,

If I have understood it properly then your config is as follows:-

Natting on firewall

HSRP between Router1 and Router2

So, The problem lies in the firewall.

In firewall once you have made connection with public ip the session ie the translation will be present even if the internet link fails. You have to give "clear xlate" cmd. and then try to ping the destination once your active router fails.

HTH,

Cheers,

Nikhil E.

mohammady Tue, 01/08/2008 - 07:39

I dont understand what do you mean by "clear xlate" cmd I'm using juniper firewall???

nikhil.engineer Tue, 01/08/2008 - 20:03

Please check the command to clear the current translations and current information in Juniper.

You can go through the below link to know more about the cmd.

http://cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1084248

This solution is temporary solution. Whenever your serial interface goes down your nat translation needs to be changed.

One solution is to do natting on routers itself using stateful nat which will work fine with your HSRP.But this solution is not the best solution if you are using Firewall.

You can take help of Security experts for more solutions.

HTH.

Cheers,

Nikhil E.

Actions

This Discussion