07-30-2009 11:55 AM - edited 03-04-2019 05:36 AM
Hi, anybody knows about password that are not allowed for HSRP Authentication ?
Or HSRP issue with 1750 ?
Tks in advanced
Alex
07-30-2009 12:09 PM
Hello Alex,
Can you be more specific? From what you have written, it is hard to follow the problem you are having.
Best regards,
Peter
07-30-2009 12:36 PM
My bussiness partner is trying configure HSRP, both router (1750)are "active".He got the configuration model from Cisco page.The 1750 are connected at 3750 (with HSRP implemented and runnig properly with other Bussiness partner)
Do have any tip ?
Tks for your help
Alex
07-30-2009 12:54 PM
Hello,
First, I should say that the authentication in HSRP is mostly an useless thing. It does not really provide any additional security. It will prevent unauthorized routers from joining the standby group but it as you can see directly here, if two or more routers do not share the same password, they will both create their own standby groups, thereby confusing the stations in the network. This was also the reason why the support of authentication in a similar redundancy protocol, VRRP, was dropped (see RFC 3768, sections 5.3.6 and 10).
I therefore recommend turning off the authentication completely and verifying that the HSRP routers form a stable and properly running standby group. If your business partner insists on having authenticated HSRP, try to reenter the authentication commands but do not copy them directly from Cisco pages, as those password may not be actual valid passwords.
Also, in my experience, very often a problem is created when the administrator inadvertently presses the Space key after writing the entire password. This whitespace is invisible but it becomes a part of the key. If this Space is not duplicated on the other router then the passwords are indeed different and the authentication fails. This type of error is quite common but difficult to discover.
Another cause of the problem can be that the password was configured in this way:
standby 1 authentication md5 key-string 7 SomeSecretPassword
Note the number '7'. Quite often, people think that that number tells the router to encrypt the password afterwards. However, after the number '7', the password must be already in the encrypted format. If it is not, the router will not be able to process it correctly. Therefore, the correct way to use that command would be:
standby 1 authentication md5 key-string SomeSecretPassword
As you have not posted the actual configurations here, I am just shooting in the dark, trying to expose the most usual mistakes.
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: