01-01-2008 11:08 PM - edited 03-05-2019 08:14 PM
I configured to cisco router to work in active/standby mode following is the config
router1:
standby 1 ip <VIP>
standby 1 priority 105
standby 1 preempt
standby 1 track Serial3/0:0
router2:
standby 1 ip <VIP>
standby 1 preempt
confguration is on f0/0 interface and the two routers are conected to the same firewall.
the problem is when i did a shutdowm to serial inteface the HSRP works fine (Active router become Standby )but I can't connect to internet??? attached a debug done when I shutdown serial interface.....
01-01-2008 11:13 PM
Hi Friend,
The problem is not releated to HSRP I believe. Your router 2 is active now which means HSRP is working fine. I believe problem is related to routes.
Can you check the default gateway on your machines or firewall is pointing to VIP address configured on both the routers? Also does your router 2 has proper routes configured to reach internet and then back to your firewall?
Regards,
Ankur
01-01-2008 11:25 PM
the default route on the firewall is the virual IP address also I tested router connectivity to internet and it is ok.
01-02-2008 12:37 AM
Hi,
Can you ping the internet using the ethernet interface as the source interface from the router? Also, can you ping the VIP and the ip address of the serial interface of your router from the firewall.
01-02-2008 12:46 AM
yes..no problem to connect to internet for the two routers..note that the problem occur only when I tried to do failover, I mean that no problem to connect to internet when the first router is active and second is standby with default route on firewall is VIP IP ,but when I shutdown the serial interface on the first router(active router)I cant connect to internet although the second router change their state from standby to active.
the second router connectivity to internet was tested and it is OK.
01-02-2008 12:56 AM
If i understand it correctly, you setup should look like this
firewall| ----> Router 1 ---->>ISP
----> Router 2 ---->>
I you just pinged the internet by default it will use the serial interface (or interface that is directly connected to your ISP) as the source. Try extended ping and use FE or the VIP as the source address.
01-02-2008 01:25 AM
I do a ping to internet using FE as the source interface and the ping succeeded.
my connection is like following:
firewall -->router1 -->ISP
--> router2-->ISP
01-02-2008 01:55 AM
Hi Friend,
Is your individual router doing NAT for your traffic to go on internet or firewall?
Regards,
Ankur
01-02-2008 02:22 AM
Nating is on the firewall no on Routers.
01-02-2008 02:34 AM
Hi Friend,
Now that could be an issue. How have you configured your firewall to do a NAT Fallback?
By this I mean your firewall must be doing a NAT with active router serial interface ip or some ip which is allowed by your ISP 1 now when your active router which is router 1 goes down and standby router which is router 2 comes up how will your firewall come to know that now it has to start NAT with router 2 serial interface ip address or any ip address which is allowed by your ISP 2?
Can you please confirm if you have done some check on your firewall for the same?
Regards,
Ankur
01-02-2008 01:42 AM
Hi mohammady
Could you do a traceroute on the pc, is it via different router when the primary router down. Also please post the running config of these routers and the show standby
Thanks
Andy
01-02-2008 02:56 AM
1-I change the default route on the firewall to be the second router IP(standby router)and I did a traceroute to yahoo IP.
2-when the default route on the firewall is VIP and the first router is active and second is standby traceroute is ok.
3-when the default route on the firewall is VIP and the first router is standby and second is active traceroute is not ok.??
what you suggest!!!!???
01-02-2008 03:11 AM
Do paste show IP route on both the routers.
In the first option you mentioned,
"1-I change the default route on the firewall to be the second router IP(standby router)and I did a traceroute to yahoo IP. " Check router-2 is sending traffic to Router-1 and then reaching to internet(Yahoo).
Mostly reverse route might not be abailable thr ISP thr links to both the routers. Check with ISP for backup route to the LAN public network through second router serial link.
01-02-2008 03:13 AM
Hi Friend,
I understood your problem but what I will like to know as you mentioned your firewall is doing NAT can you please update how will your firewall do the NAT with second router ip address when your primary router fails?
Can you update more on how you have configured NAT on your firewall?
Regards,
Ankur
01-02-2008 03:07 AM
This is not look like HSRP issue. Pls see the public IP address is routed from ISP thr both router links.. It might be due to reverse route issue from ISP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide