cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1483
Views
0
Helpful
19
Replies

HSRP problem

mohammady
Level 1
Level 1

I configured to cisco router to work in active/standby mode following is the config

router1:

standby 1 ip <VIP>

standby 1 priority 105

standby 1 preempt

standby 1 track Serial3/0:0

router2:

standby 1 ip <VIP>

standby 1 preempt

confguration is on f0/0 interface and the two routers are conected to the same firewall.

the problem is when i did a shutdowm to serial inteface the HSRP works fine (Active router become Standby )but I can't connect to internet??? attached a debug done when I shutdown serial interface.....

19 Replies 19

ankbhasi
Cisco Employee
Cisco Employee

Hi Friend,

The problem is not releated to HSRP I believe. Your router 2 is active now which means HSRP is working fine. I believe problem is related to routes.

Can you check the default gateway on your machines or firewall is pointing to VIP address configured on both the routers? Also does your router 2 has proper routes configured to reach internet and then back to your firewall?

Regards,

Ankur

the default route on the firewall is the virual IP address also I tested router connectivity to internet and it is ok.

Hi,

Can you ping the internet using the ethernet interface as the source interface from the router? Also, can you ping the VIP and the ip address of the serial interface of your router from the firewall.

yes..no problem to connect to internet for the two routers..note that the problem occur only when I tried to do failover, I mean that no problem to connect to internet when the first router is active and second is standby with default route on firewall is VIP IP ,but when I shutdown the serial interface on the first router(active router)I cant connect to internet although the second router change their state from standby to active.

the second router connectivity to internet was tested and it is OK.

If i understand it correctly, you setup should look like this

firewall| ----> Router 1 ---->>ISP

----> Router 2 ---->>

I you just pinged the internet by default it will use the serial interface (or interface that is directly connected to your ISP) as the source. Try extended ping and use FE or the VIP as the source address.

I do a ping to internet using FE as the source interface and the ping succeeded.

my connection is like following:

firewall -->router1 -->ISP

--> router2-->ISP

Hi Friend,

Is your individual router doing NAT for your traffic to go on internet or firewall?

Regards,

Ankur

Nating is on the firewall no on Routers.

Hi Friend,

Now that could be an issue. How have you configured your firewall to do a NAT Fallback?

By this I mean your firewall must be doing a NAT with active router serial interface ip or some ip which is allowed by your ISP 1 now when your active router which is router 1 goes down and standby router which is router 2 comes up how will your firewall come to know that now it has to start NAT with router 2 serial interface ip address or any ip address which is allowed by your ISP 2?

Can you please confirm if you have done some check on your firewall for the same?

Regards,

Ankur

andyskyview
Level 1
Level 1

Hi mohammady

Could you do a traceroute on the pc, is it via different router when the primary router down. Also please post the running config of these routers and the show standby

Thanks

Andy

1-I change the default route on the firewall to be the second router IP(standby router)and I did a traceroute to yahoo IP.

2-when the default route on the firewall is VIP and the first router is active and second is standby traceroute is ok.

3-when the default route on the firewall is VIP and the first router is standby and second is active traceroute is not ok.??

what you suggest!!!!???

Do paste show IP route on both the routers.

In the first option you mentioned,

"1-I change the default route on the firewall to be the second router IP(standby router)and I did a traceroute to yahoo IP. " Check router-2 is sending traffic to Router-1 and then reaching to internet(Yahoo).

Mostly reverse route might not be abailable thr ISP thr links to both the routers. Check with ISP for backup route to the LAN public network through second router serial link.

Hi Friend,

I understood your problem but what I will like to know as you mentioned your firewall is doing NAT can you please update how will your firewall do the NAT with second router ip address when your primary router fails?

Can you update more on how you have configured NAT on your firewall?

Regards,

Ankur

BALAJI RAJAN
Level 1
Level 1

This is not look like HSRP issue. Pls see the public IP address is routed from ISP thr both router links.. It might be due to reverse route issue from ISP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card