Peter Paluch Thu, 07/30/2009 - 12:09

Hello Alex,


Can you be more specific? From what you have written, it is hard to follow the problem you are having.


Best regards,

Peter


aamaraljpm Thu, 07/30/2009 - 12:36

My bussiness partner is trying configure HSRP, both router (1750)are "active".He got the configuration model from Cisco page.The 1750 are connected at 3750 (with HSRP implemented and runnig properly with other Bussiness partner)

Do have any tip ?


Tks for your help


Alex

Peter Paluch Thu, 07/30/2009 - 12:54

Hello,


First, I should say that the authentication in HSRP is mostly an useless thing. It does not really provide any additional security. It will prevent unauthorized routers from joining the standby group but it as you can see directly here, if two or more routers do not share the same password, they will both create their own standby groups, thereby confusing the stations in the network. This was also the reason why the support of authentication in a similar redundancy protocol, VRRP, was dropped (see RFC 3768, sections 5.3.6 and 10).


I therefore recommend turning off the authentication completely and verifying that the HSRP routers form a stable and properly running standby group. If your business partner insists on having authenticated HSRP, try to reenter the authentication commands but do not copy them directly from Cisco pages, as those password may not be actual valid passwords.


Also, in my experience, very often a problem is created when the administrator inadvertently presses the Space key after writing the entire password. This whitespace is invisible but it becomes a part of the key. If this Space is not duplicated on the other router then the passwords are indeed different and the authentication fails. This type of error is quite common but difficult to discover.


Another cause of the problem can be that the password was configured in this way:


standby 1 authentication md5 key-string 7 SomeSecretPassword


Note the number '7'. Quite often, people think that that number tells the router to encrypt the password afterwards. However, after the number '7', the password must be already in the encrypted format. If it is not, the router will not be able to process it correctly. Therefore, the correct way to use that command would be:


standby 1 authentication md5 key-string SomeSecretPassword


As you have not posted the actual configurations here, I am just shooting in the dark, trying to expose the most usual mistakes.


Best regards,

Peter


Actions

This Discussion