01-18-2008 07:04 AM - edited 03-05-2019 08:33 PM
Our ISP have setup HSRP on their switch, x.x.x.1/24 and I've set up HSRP x.x.x.11/24 on the external interfaces of our two routers, rtr1 and rtr2. I have rtr1 set with higher priority and have preempt enabled.
It's working except for 1 of 5 failure scenarios I tested. When I unplug the external interface on rtr1, rtr2 external becomes active but no traffic is getting past our router. I can ping our HSRP but not the ISP.
The other 4 scenarios are:
* Unplug internal of rtr2 (nothing happens as expected).
* Unplug internal of rtr1. Internal of rtr2 become active and traffic gets out to Internet. I replug internal rtr1 and rtr1 becomes active again, as expected.
* Unplug external of rtr2 (nothing happens as expected).
* Unplug both external and internal of rtr1 (to simulate rtr1 router failure) and external and internal of rtr2 become active and traffic passes as expected.
I've created a ticket with Cisco and an engineer confirmed my HSRP config. I guess my real question is, is it possible that the ISP did not configure something correctly? I want to see if this is plausible before contacting them.
01-18-2008 07:39 AM
Sounds to me like your HSRP is set up correctly but that the ISP has their route set at your Router1 IP real IP and not the HSRP address that sits between the two.
I'd ask them what their routing's set to for sending traffic to you.
HTH
Anthony
01-18-2008 08:26 AM
Hi,
I don't agree with the first post since your simulation of router 1 failure works fine.
Are you sure that your tracking works fine?
If you don't use tracking, check routing between rtr1 and rtr2.
Cannot say for sure unless you post your configuration.
I've had a similar case and used the following:
ip route 0.0.0.0 0.0.0.0 rtr2 222 on rtr1.
BR,
Bjornarsb
01-18-2008 08:42 AM
I agree that rtr2 working on rtr1 failure simulation doesn't point to a simple routing problem.
What is tracking?
01-18-2008 09:07 AM
Hi,
Tracking decremets the priority value if your wan interface is down.
LAB-ROUTER(config-if)#standby track ethernet 0 ?
<1-255> Decrement value
You need to be sure that when your wan interface is down it decremts the value enough to let rtr2 be the active router.
BR,
Bjornarsb
01-18-2008 09:22 AM
I'm pretty sure when external interface on rtr1 was disconnected, show standby on rtr2 said its external interface was Active. At this point rtr1 internal interface was Active and rtr2 internal interface was Standby. I think this is normal because when I unplugged internal interface on rtr1, the internal interface of rtr2 became Active but external interface of rtr1 remained Active (with rtr2 external still Standby) and traffic was passing through.
I just checked my config again and even though I do have tracking set, it changes the priority of rtr1 so it is equal in priority to rtr2 (instead of it being less than rtr2) because rtr1 priority is 110 and rtr2 priority is 100 (default) and tracking decrements by 10 (default). I'll try setting rtr1 priority to 105 so decrementing by 10 will make it lower priority than rtr2.
I'll change those priorities similarly on the internal interfaces, too.
01-18-2008 08:44 AM
Here's the config of the first router:
rtrwan1and#sho runn
Building configuration...
Current configuration : 2980 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname rtrwan1and
!
boot-start-marker
boot-end-marker
!
!
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip name-server 64.94.30.11
ip name-server 64.94.30.12
no ftp-server write-enable
!
!
!
!
!
!
interface FastEthernet0/0
ip address 216.75.205.8 255.255.255.224
ip access-group 101 in
ip accounting output-packets
ip nat outside
speed 100
full-duplex
standby 1 ip 216.75.205.11
standby 1 priority 110
standby 1 preempt delay minimum 60
standby 1 name outside
standby 1 track FastEthernet0/1
!
interface FastEthernet0/1
ip address 10.200.20.2 255.255.255.0
ip access-group 102 in
ip accounting output-packets
ip nat inside
speed 100
full-duplex
no mop enabled
standby 2 ip 10.200.20.1
standby 2 priority 110
standby 2 preempt delay minimum 60
standby 2 name inside
standby 2 track FastEthernet0/0
!
ip default-gateway 216.75.205.1
ip nat pool andnatpool 216.75.205.30 216.75.205.30 netmask 255.255.255.224
ip nat inside source list 1 pool andnatpool overload
ip nat inside source static 10.200.20.101 216.75.205.10
ip nat inside source static 10.200.40.40 216.75.205.12
ip nat inside source static 10.200.40.41 216.75.205.13
ip nat inside source static 10.200.50.41 216.75.205.14
ip nat inside source static 10.200.50.42 216.75.205.15
ip nat inside source static 10.200.50.48 216.75.205.16
ip nat inside source static 10.200.50.49 216.75.205.17
ip nat inside source static 10.200.40.45 216.75.205.18
ip nat inside source static 10.200.40.46 216.75.205.19
ip nat inside source static 10.200.40.47 216.75.205.20
ip nat inside source static 10.200.40.48 216.75.205.22
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 216.75.205.1
ip route 10.200.30.0 255.255.255.0 10.200.20.21
ip route 10.200.40.0 255.255.255.0 10.200.20.21
ip route 10.200.50.0 255.255.255.0 10.200.20.21
ip http server
!
access-list 1 permit 10.200.50.0 0.0.0.255
access-list 1 permit 10.200.40.0 0.0.0.255
access-list 1 permit 10.200.30.0 0.0.0.255
access-list 1 permit 10.200.20.0 0.0.0.255
access-list 1 remark ACL used for PAT
access-list 101 permit ip any any
access-list 101 remark ACL used for inbound traffic
access-list 101 remark ACL used for inbound traffic
access-list 101 permit tcp any gt 1023 host 216.75.205.20 eq www
access-list 101 permit tcp any gt 1023 host 216.75.205.22 eq www log
access-list 102 permit ip any any
access-list 102 remark ACL used for outbound traffic
!
01-18-2008 09:10 AM
Try this on rtr1:
ip route 0.0.0.0 0.0.0.0 10.200.20.3 200
01-18-2008 09:28 AM
I'll try that if re-configuring the HSRP priorities don't work.
01-18-2008 08:44 AM
Here's the config of the 2nd router:
rtrwan2and#sho runn
Building configuration...
Current configuration : 2907 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname rtrwan2and
!
boot-start-marker
boot-end-marker
!
!
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 64.94.30.11
ip name-server 64.94.30.12
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 216.75.205.9 255.255.255.224
ip access-group 101 in
ip accounting output-packets
ip nat outside
speed 100
full-duplex
standby 1 ip 216.75.205.11
standby 1 name outside
standby 1 track FastEthernet0/1
!
interface FastEthernet0/1
ip address 10.200.20.3 255.255.255.0
ip access-group 102 in
ip accounting output-packets
ip nat inside
speed 100
full-duplex
standby 2 ip 10.200.20.1
standby 2 name inside
standby 2 track FastEthernet0/0
!
ip default-gateway 216.75.205.1
ip nat pool andnatpool 216.75.205.29 216.75.205.29 netmask 255.255.255.224
ip nat inside source list 1 pool andnatpool overload
ip nat inside source static 10.200.20.101 216.75.205.10
ip nat inside source static 10.200.40.40 216.75.205.12
ip nat inside source static 10.200.40.41 216.75.205.13
ip nat inside source static 10.200.50.41 216.75.205.14
ip nat inside source static 10.200.50.42 216.75.205.15
ip nat inside source static 10.200.50.48 216.75.205.16
ip nat inside source static 10.200.50.49 216.75.205.17
ip nat inside source static 10.200.40.45 216.75.205.18
ip nat inside source static 10.200.40.46 216.75.205.19
ip nat inside source static 10.200.40.47 216.75.205.20
ip nat inside source static 10.200.40.48 216.75.205.22
ip http server
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 216.75.205.1
ip route 10.200.30.0 255.255.255.0 10.200.20.21
ip route 10.200.40.0 255.255.255.0 10.200.20.21
ip route 10.200.50.0 255.255.255.0 10.200.20.21
!
!
access-list 1 permit 10.200.50.0 0.0.0.255
access-list 1 permit 10.200.40.0 0.0.0.255
access-list 1 permit 10.200.30.0 0.0.0.255
access-list 1 permit 10.200.20.0 0.0.0.255
access-list 1 remark ACL used for PAT
access-list 1 remark ACL used for PAT
access-list 101 permit ip any any
access-list 101 remark ACL used for inbound traffic
access-list 101 remark ACL used for inbound traffic
access-list 101 permit tcp any gt 1023 host 216.75.205.20 eq www
access-list 101 permit tcp any gt 1023 host 216.75.205.22 eq www log
access-list 102 permit ip any any
access-list 102 remark ACL used for outbound traffic
access-list 102 remark ACL used for outbound traffic
!
01-30-2008 06:44 AM
Hi,
You may be running into an issue with NAT and HSRP running on the same router. I haven't configured this myself, but did find a document talking about it.
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnthsrp.html
PS. I also saw a document talking about SNAT (stateful NAT) which allows high-availability for dynimcally created NAT entries. I'm not sure if they can be used together though.
Hope this helps.
Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: