Our HSRP not playing well with ISP's HSRP?

rimbertr1 · ‎01-18-2008

Our ISP have setup HSRP on their switch, x.x.x.1/24 and I've set up HSRP x.x.x.11/24 on the external interfaces of our two routers, rtr1 and rtr2. I have rtr1 set with higher priority and have preempt enabled.

It's working except for 1 of 5 failure scenarios I tested. When I unplug the external interface on rtr1, rtr2 external becomes active but no traffic is getting past our router. I can ping our HSRP but not the ISP.

The other 4 scenarios are:

* Unplug internal of rtr2 (nothing happens as expected).

* Unplug internal of rtr1. Internal of rtr2 become active and traffic gets out to Internet. I replug internal rtr1 and rtr1 becomes active again, as expected.

* Unplug external of rtr2 (nothing happens as expected).

* Unplug both external and internal of rtr1 (to simulate rtr1 router failure) and external and internal of rtr2 become active and traffic passes as expected.

I've created a ticket with Cisco and an engineer confirmed my HSRP config. I guess my real question is, is it possible that the ISP did not configure something correctly? I want to see if this is plausible before contacting them.

anthony.baker · ‎01-18-2008

Sounds to me like your HSRP is set up correctly but that the ISP has their route set at your Router1 IP real IP and not the HSRP address that sits between the two.

I'd ask them what their routing's set to for sending traffic to you.

HTH

Anthony

bjornarsb · ‎01-18-2008

Hi,

I don't agree with the first post since your simulation of router 1 failure works fine.

Are you sure that your tracking works fine?

If you don't use tracking, check routing between rtr1 and rtr2.

Cannot say for sure unless you post your configuration.

I've had a similar case and used the following:

ip route 0.0.0.0 0.0.0.0 rtr2 222 on rtr1.

BR,

Bjornarsb

rimbertr1 · ‎01-18-2008

I agree that rtr2 working on rtr1 failure simulation doesn't point to a simple routing problem.

What is tracking?

bjornarsb · ‎01-18-2008

Hi,

Tracking decremets the priority value if your wan interface is down.

LAB-ROUTER(config-if)#standby track ethernet 0 ?

<1-255> Decrement value

You need to be sure that when your wan interface is down it decremts the value enough to let rtr2 be the active router.

BR,

Bjornarsb

rimbertr1 · ‎01-18-2008

I'm pretty sure when external interface on rtr1 was disconnected, show standby on rtr2 said its external interface was Active. At this point rtr1 internal interface was Active and rtr2 internal interface was Standby. I think this is normal because when I unplugged internal interface on rtr1, the internal interface of rtr2 became Active but external interface of rtr1 remained Active (with rtr2 external still Standby) and traffic was passing through.

I just checked my config again and even though I do have tracking set, it changes the priority of rtr1 so it is equal in priority to rtr2 (instead of it being less than rtr2) because rtr1 priority is 110 and rtr2 priority is 100 (default) and tracking decrements by 10 (default). I'll try setting rtr1 priority to 105 so decrementing by 10 will make it lower priority than rtr2.

I'll change those priorities similarly on the internal interfaces, too.

rimbertr1 · ‎01-18-2008

Here's the config of the first router:

rtrwan1and#sho runn

Building configuration...

Current configuration : 2980 bytes

!

! No configuration change since last restart

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname rtrwan1and

!

boot-start-marker

boot-end-marker

!

clock timezone EST -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

ip cef

!

ip name-server 64.94.30.11

ip name-server 64.94.30.12

no ftp-server write-enable

!

interface FastEthernet0/0

ip address 216.75.205.8 255.255.255.224

ip access-group 101 in

ip accounting output-packets

ip nat outside

speed 100

full-duplex

standby 1 ip 216.75.205.11

standby 1 priority 110

standby 1 preempt delay minimum 60

standby 1 name outside

standby 1 track FastEthernet0/1

!

interface FastEthernet0/1

ip address 10.200.20.2 255.255.255.0

ip access-group 102 in

ip accounting output-packets

ip nat inside

speed 100

full-duplex

no mop enabled

standby 2 ip 10.200.20.1

standby 2 priority 110

standby 2 preempt delay minimum 60

standby 2 name inside

standby 2 track FastEthernet0/0

!

ip default-gateway 216.75.205.1

ip nat pool andnatpool 216.75.205.30 216.75.205.30 netmask 255.255.255.224

ip nat inside source list 1 pool andnatpool overload

ip nat inside source static 10.200.20.101 216.75.205.10

ip nat inside source static 10.200.40.40 216.75.205.12

ip nat inside source static 10.200.40.41 216.75.205.13

ip nat inside source static 10.200.50.41 216.75.205.14

ip nat inside source static 10.200.50.42 216.75.205.15

ip nat inside source static 10.200.50.48 216.75.205.16

ip nat inside source static 10.200.50.49 216.75.205.17

ip nat inside source static 10.200.40.45 216.75.205.18

ip nat inside source static 10.200.40.46 216.75.205.19

ip nat inside source static 10.200.40.47 216.75.205.20

ip nat inside source static 10.200.40.48 216.75.205.22

ip classless

ip route profile

ip route 0.0.0.0 0.0.0.0 216.75.205.1

ip route 10.200.30.0 255.255.255.0 10.200.20.21

ip route 10.200.40.0 255.255.255.0 10.200.20.21

ip route 10.200.50.0 255.255.255.0 10.200.20.21

ip http server

!

access-list 1 permit 10.200.50.0 0.0.0.255

access-list 1 permit 10.200.40.0 0.0.0.255

access-list 1 permit 10.200.30.0 0.0.0.255

access-list 1 permit 10.200.20.0 0.0.0.255

access-list 1 remark ACL used for PAT

access-list 101 permit ip any any

access-list 101 remark ACL used for inbound traffic

access-list 101 permit tcp any gt 1023 host 216.75.205.20 eq www

access-list 101 permit tcp any gt 1023 host 216.75.205.22 eq www log

access-list 102 permit ip any any

access-list 102 remark ACL used for outbound traffic

!

bjornarsb · ‎01-18-2008

Try this on rtr1:

ip route 0.0.0.0 0.0.0.0 10.200.20.3 200

rimbertr1 · ‎01-18-2008

I'll try that if re-configuring the HSRP priorities don't work.

rimbertr1 · ‎01-18-2008

Here's the config of the 2nd router:

rtrwan2and#sho runn

Building configuration...

Current configuration : 2907 bytes

!

! No configuration change since last restart

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname rtrwan2and

!

boot-start-marker

boot-end-marker

!

clock timezone EST -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

ip cef

!

ip name-server 64.94.30.11

ip name-server 64.94.30.12

!

interface FastEthernet0/0

ip address 216.75.205.9 255.255.255.224

ip access-group 101 in

ip accounting output-packets

ip nat outside

speed 100

full-duplex

standby 1 ip 216.75.205.11

standby 1 name outside

standby 1 track FastEthernet0/1

!

interface FastEthernet0/1

ip address 10.200.20.3 255.255.255.0

ip access-group 102 in

ip accounting output-packets

ip nat inside

speed 100

full-duplex

standby 2 ip 10.200.20.1

standby 2 name inside

standby 2 track FastEthernet0/0

!

ip default-gateway 216.75.205.1

ip nat pool andnatpool 216.75.205.29 216.75.205.29 netmask 255.255.255.224

ip nat inside source list 1 pool andnatpool overload

ip nat inside source static 10.200.20.101 216.75.205.10

ip nat inside source static 10.200.40.40 216.75.205.12

ip nat inside source static 10.200.40.41 216.75.205.13

ip nat inside source static 10.200.50.41 216.75.205.14

ip nat inside source static 10.200.50.42 216.75.205.15

ip nat inside source static 10.200.50.48 216.75.205.16

ip nat inside source static 10.200.50.49 216.75.205.17

ip nat inside source static 10.200.40.45 216.75.205.18

ip nat inside source static 10.200.40.46 216.75.205.19

ip nat inside source static 10.200.40.47 216.75.205.20

ip nat inside source static 10.200.40.48 216.75.205.22

ip http server

ip classless

ip route profile

ip route 0.0.0.0 0.0.0.0 216.75.205.1

ip route 10.200.30.0 255.255.255.0 10.200.20.21

ip route 10.200.40.0 255.255.255.0 10.200.20.21

ip route 10.200.50.0 255.255.255.0 10.200.20.21

!

access-list 1 permit 10.200.50.0 0.0.0.255

access-list 1 permit 10.200.40.0 0.0.0.255

access-list 1 permit 10.200.30.0 0.0.0.255

access-list 1 permit 10.200.20.0 0.0.0.255

access-list 1 remark ACL used for PAT

access-list 101 permit ip any any

access-list 101 remark ACL used for inbound traffic

access-list 101 permit tcp any gt 1023 host 216.75.205.20 eq www

access-list 101 permit tcp any gt 1023 host 216.75.205.22 eq www log

access-list 102 permit ip any any

access-list 102 remark ACL used for outbound traffic

!

MARK BAKER · ‎01-30-2008

Hi,

You may be running into an issue with NAT and HSRP running on the same router. I haven't configured this myself, but did find a document talking about it.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnthsrp.html

PS. I also saw a document talking about SNAT (stateful NAT) which allows high-availability for dynimcally created NAT entries. I'm not sure if they can be used together though.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1839/prod_white_paper0900aecd8052870b.html

Hope this helps.

Mark