Problems with 2901 hsrvp

Unanswered Question
Dec 27th, 2011

Hi

I have 2 x 2901 in a hsrvp setup.

so I have some wan ports attached to both of these routers and I have 1 port from each router attached 1 a sw (switches in clustered mode). and 1 port attach to each other.

The ports from the router to the switch and each other are part of vlan1 and I have hsrp configured on vlan1

interface Vlan1

description to firewall

ip address a.b.c.252 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

interface Vlan1

description to firewall

ip address a.b.c.253 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

my problem is when i log into the standby router I can't ping the VIP a.b.c.254

standby seems to be working.

Alex

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 2 (1 ratings)
Reza Sharifi Tue, 12/27/2011 - 17:10

Hi Alex,

Can you set a priority for the master switch and test again?

example:

standby 2 priority 110
also the group range is from 1 to 255.  Can you try a different group number between 1 and 255?

HTH

AlexSamadYieldBroker Tue, 12/27/2011 - 17:16

Hi

I actually have, sorry I cut and pasted from the slave router

primary

interface Vlan1

ip address a.b.c.d.253 255.255.255.0

standby 0 ip a.b.c.d.254

standby 0 priority 105

standby 0 preempt

standby 0 authentication md5 key-string 7 SOMETHING

standby 0 name internet

sho standby

Vlan1 - Group 0

  State is Active

    1 state change, last state change 38w4d

  Virtual IP address is a.b.c.254

  Active virtual MAC address is 0000.0c07.ac00

    Local virtual MAC address is 0000.0c07.ac00 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 2.544 secs

  Authentication MD5, key-string

  Preemption enabled

  Active router is local

  Standby router is a.b.c.252, priority 100 (expires in 10.000 sec)

  Priority 105 (configured 105)

  Group name is "internet" (cfgd)

backup router

interface Vlan1

ip address a.b.c.252 255.255.255.0

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 SMOETHING

standby 0 name internet

show standby

Vlan1 - Group 0

  State is Standby

    4 state changes, last state change 1d03h

  Virtual IP address is a.b.c.254

  Active virtual MAC address is 0000.0c07.ac00

    Local virtual MAC address is 0000.0c07.ac00 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 2.448 secs

  Authentication MD5, key-string

  Preemption enabled

  Active router is a.b.c.253, priority 105 (expires in 9.360 sec)

  Standby router is local

  Priority 100 (default 100)

  Group name is "internet" (cfgd)

so ping from primary to .254 work

ping from secondard to 254 times out ....

gfcisco31 Tue, 12/27/2011 - 18:04

Many things can cause such behaviour...

Let`s try the most common one first.

Check wether both routers are listening to 224.0.0.2 (.102 is its hsrp v2), to do that issue the command "sh ip interface" on both routers.

I would suggest to remove the config and apply again, in case you suspect they are not hearing each other, also you can try to ping the MCAST address to see who responds the icmp echo request.

hope this helps

Please, rate useful posts.

AlexSamadYieldBroker Tue, 12/27/2011 - 18:12

sh ip interface

shows me vlan1 on both routers has

224.0.0.2 associated with it

I tried pinging the 224.0.0.2 address and I got replies from the not only the local addresses, but also the wan addresses attached to the router ??

I don't believe that the routers are not hearing the heartbeats.

So i can ping the .254 address from primary router and from another device except from the the secondary router..

but it means any traffic coming in on the secondary can't ping .254

AlexSamadYieldBroker Tue, 12/27/2011 - 18:34

i presume you mean

show arp

and see if the mac address is in the table.. it is and its the correct one

same on the primary

AlexSamadYieldBroker Tue, 12/27/2011 - 18:55

Hi

Not sure if that is the same problem I am having.

So except for the standby router. All other devices on the ethernet segment can ping .254 and they can ping the real address of the routers (pri & sec).

pri can ping .254 .253 .252

but sec can only ping .253 .252 (the real addresses of the routers...

Alex

gauravnunia Tue, 12/27/2011 - 20:12

Hi Alex,

here's more you can try :

on the standby router.

"sh ip route x.x.x.254" , see if recognises the address.

check the output of

access-list 101 permit icmp any any

debug ip packet detail 101

end

ping x.x.x.254

see if the output gives any clues- see if its getting routed or not,

also, check whether there is any ACL blocking udp 1985,

AlexSamadYieldBroker Tue, 12/27/2011 - 20:33

sh ip rou

show me that the router believes it is on vlan1 directly connected (the right info)

Q) dont I have to attach 101 to an interface ? in my case vlan1

and isn't there an implied deny any any at the end of the list

tried it any way

025026: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254, len 100, local feature

025027: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0, Policy Routing(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025028: Dec 28 15:23:26 AEDT: FIBipv4-packet-proc: route packet from (local) src a.b.c.252 dst a.b.c.254

025029: Dec 28 15:23:26 AEDT: FIBfwd-proc: packet routed by adj to Vlan1 a.b.c.254

025030: Dec 28 15:23:26 AEDT: FIBipv4-packet-proc: packet routing succeeded

025031: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending

025032: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0

025033: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025034: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0, Post-Ingress-NetFlow(62), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025035: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025036: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0, Post-Input-Flexible-NetFlow(73), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025037: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending full packet

025038: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0

025040: Dec 28 15:23:27 AEDT:  IP: s=a.b.c.253, d=224.0.0.2, pak 2A16FD60 consumed in input feature , packet consumed, MCI Check(73), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE.

025041: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254, len 100, local feature

025042: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0, Policy Routing(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025043: Dec 28 15:23:28 AEDT: FIBipv4-packet-proc: route packet from (local) src a.b.c.252 dst a.b.c.254

025044: Dec 28 15:23:28 AEDT: FIBfwd-proc: packet routed by adj to Vlan1 a.b.c.254

025045: Dec 28 15:23:28 AEDT: FIBipv4-packet-proc: packet routing succeeded

025046: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending

025047: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0

025048: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025049: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0, Post-Ingress-NetFlow(62), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025050: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025051: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0, Post-Input-Flexible-NetFlow(73), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025052: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending full packet

025053: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0.

025054: Dec 28 15:23:30 AEDT:  IP: s=a.b.c.253, d=224.0.0.2, pak 2A866DF8 consumed in input feature , packet consumed, MCI Check(73), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025055: Dec 28 15:23:30 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254, len 100, local feature

025056: Dec 28 15:23:30 AEDT:     ICMP type=8, code=0, Policy Routing(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025057: Dec 28 15:23:30 AEDT: FIBipv4-packet-proc: route packet from (local) src a.b.c.252 dst a.b.c.254

025058: Dec 28 15:23:30 AEDT: FIBfwd-proc: packet routed by adj to Vlan1 a.b.c.254

025059: Dec 28 15:23:30 AEDT: FIBipv4-packet-proc: packet routing succeeded

seems to be working (sending packets from the sec, will try from the pri)

i don't see it turn on up the pri, i tried pinging the real address .253 and it showed up...

gauravnunia Tue, 12/27/2011 - 21:49

A.  yes there is a implicit deny, as we are only interested in seeing the ICMP debug, and we dont need to apply it on any interface, as we are not filtering any incoming or outgoing traffic, but the debug output only.

kmothukuri Tue, 12/27/2011 - 22:22

Hi ,

issue the command Clear mac-address table dynamic and check it once.

With Rgds,

M Satish Kumar

AlexSamadYieldBroker Wed, 12/28/2011 - 14:29

clear max didn't fix anything but it got me looking at the arp table as well.

standby#sh arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  a.b.c.1           210   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.2            29   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.4           192   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.7           126   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.9           167   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.10          155   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.12          112   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.13          171   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.15          174   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.99           50   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.127          33   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.129         193   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.199          38   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.250          18   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.251          35   d0d0.fd99.079b  ARPA   Vlan1

Internet  a.b.c.252           -   c471.fe78.4923  ARPA   Vlan1

Internet  a.b.c.253           0   588d.09bb.9b5b  ARPA   Vlan1

Internet  a.b.c.254          60   0000.0c07.ac00  ARPA   Vlan1

standby#show mac-address-table

EHWIC Slot: 0

Destination Address     Address Type    VLAN    Destination Port

-------------------     ------------    ----    -----------------

c471.fe78.4923          Self               1    Vlan1

d0d0.fd5b.c5bd          Dynamic            1    GigabitEthernet0/0/0

d0d0.fd99.079b          Dynamic            1    GigabitEthernet0/0/3

0000.0c07.ac00          Dynamic            1    GigabitEthernet0/0/0

588d.09bb.9b5b          Dynamic            1    GigabitEthernet0/0/0

d0d0.fd94.c628          Dynamic            1    GigabitEthernet0/0/0

standby#sh vlan-switch

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Gi0/0/0, Gi0/0/2, Gi0/0/3

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        1002   1003

so gi0/0/0 is direct attach cable to primary router

so gi0/0/3 is attached to the sw (stacked switch this to one the other router to the other switch)

so gi0/0/2 not connected

it looks all okay...

EDIT -> all this is from the standby router

ebarticel Wed, 12/28/2011 - 00:48

I think you should check the authentication as well and maybe have a delay timer configured with preempt command

Hope it helps

Eugen

AlexSamadYieldBroker Wed, 12/28/2011 - 14:31

Hi

Pretty sure authentication is okay, they heartbeats seem to be working and not timing out. also for the brief period I had one authenticated and one not authenticated I received errors in my syslog, which went away once I reconfigured the second interface.

as for the delay time

not sure what it is nor how it will help me ping the vip from the standby router

ebarticel Wed, 12/28/2011 - 18:38

The delay time is for the primary to know how long to wait to become primary again, usually is greater than default to give enough time for routing protocol to converge (bgp takes a bit longer than ospf or eigrp).

I am thinking that you should change priority on the secondary to become primary for a while,this will associate mac address of secondary with VIP, because at the moment the primary doesn't know where to send the ping replies. The secondary MAC address is associated with IP address of interface but not with VIP in the primary MAC table.

Other option is to create a static mapping on the primary for secondary MAC and VIP.

I hope this helps

Eugen

ebarticel Wed, 12/28/2011 - 18:45

add on to previous message...

this is entry for secondary on your primary

Internet  a.b.c.252           -   c471.fe78.4923  ARPA   Vlan1

The primary needs to have an entry for the

c471.fe78.4923 to be associated with a.b.c.254 as well

If you make secondary primary for a while then primary will learn and asociated the MAC with VIP as well

AlexSamadYieldBroker Wed, 12/28/2011 - 18:52

Okay I am lost on what you are trying to say is the problem and what the potential fix might be.

if i ignore the standby router, I can ping .254 from other devices, for ex the firewall and from the internet (as long as its not routed over the standby router).

I can ping from the primary to the standby using the fixed addresses (.253, .252)  and vis versa, what I can't do is ping from the standby to the VIP (which is on the primary).

I did a packet debug which showed that the packet was actually leavin the router on the right interface (I believe)

AlexSamadYieldBroker Wed, 12/28/2011 - 18:47

>>The delay time is for the primary to know how long to wait to become primary again, usually is greater than default to give enough time for routing protocol >>to converge (bgp takes a bit longer than ospf or eigrp).

okay I will have to look at this once I have solved this problem.

>>I am thinking that you should change priority on the secondary to become primary for a while,this will associate mac address of secondary with VIP, >>because at the moment the primary doesn't know where to send the ping replies. The secondary MAC address is associated with IP address of interface >>but not with VIP in the primary MAC table.

??? I didn't actually show the mac table on the primary router.  but  why it think this is not the case is

primary                                    standby

a.b.c.253                              a.b.c.252

from

a.b.c.253 i can ping a.b.c.252

a.b.c.252 i can ping a.b.c.253

a.b.c.253 i can ping a.b.c.254

I can't ping a.b.c.254 from a.b.c.252

so from this I can presume that primary can ping standby.

as this is production stuff I don't want to push over VIP.

This is actually all part of testing the redundancy and to see if it works as advertised so currently I don't have faith in it actually working . I see not reason for it not to but I don't see any reason for it not to be able to ping 254 from 252 either

>>Other option is to create a static mapping on the primary for secondary MAC and VIP.

I don't get this, why would I want to hard code routing for a floating VIP ?  and what would it do when the VIP exist on the local router ?

Alex

ebarticel Wed, 12/28/2011 - 19:34

The static mapping is just to verify that there is redundancy and you will be able to test pings from secondary.

If it is a live environment, i guess you should test it when there is not much traffic. The only thing you should change is the priority value on secondary, wait until it becomes primary, ping the VIP from both and if all is good, just change the priority back to previous values.

Eugen

kmothukuri Wed, 12/28/2011 - 20:58

Dear Alex ,

how is the connectivity of switches..Can you provide us network diagram..

With rgds,

Satish

kmothukuri Wed, 12/28/2011 - 22:30

Hi ,

Can you provide us config of interfaces which are conncted to switches back to back.

Have you configured ether channel for connecting switches ?

With Rgds,

Satish

AlexSamadYieldBroker Wed, 12/28/2011 - 23:03

primary

interface GigabitEthernet0/0/0

description connect standby

interface GigabitEthernet0/0/3

description connect asa

interface Vlan1

ip address a.b.c.253 255.255.255.0

standby 0 ip a.b.c..254

standby 0 priority 105

standby 0 preempt

standby 0 authentication md5 key-string 7 something

standby 0 name internet

standby

interface GigabitEthernet0/0/0

description connect primary

!        

!        

interface GigabitEthernet0/0/3

description connect asa5000

interface Vlan1

description to firewall

ip address a.b.c.252 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

Alex

kmothukuri Wed, 12/28/2011 - 23:13

Switch1G0/0/0 ---- G0/0/0 Switch2 Am i right...

Is it trunk port ? if it is trunk port which vlan's are allowed..

AlexSamadYieldBroker Thu, 12/29/2011 - 01:07

?? sorry I don't think I understand ??

The 2  2901's connect by cable to each other and by cable to 2 asa5000 firewall applainces which are in a active/passive stack/cluster..

ebarticel Thu, 12/29/2011 - 02:09

Does the 2901 routers have switching module installed, or you use the default LAN interfaces to connect between routers?

ebarticel Thu, 12/29/2011 - 02:41

if the wic has like 4-8-16 ports then is a switching module. If not then you are using the LAN interfaces

kmothukuri Thu, 12/29/2011 - 03:04

Hi

Where is the LAN ? how the systems are conncted in the LAN ..Diagram has routers and Firewall's..Do you have switches in the network ?

With Rgds,

Satish

AlexSamadYieldBroker Thu, 12/29/2011 - 03:16

The lan is on the other side of the firewall. But the question is why can't standby router ping the VIP ?

ebarticel Thu, 12/29/2011 - 04:00

Do you have any ip address on g0/0/0 the interface that connects the 2 routers? you will have to configure and ip address on both primary and secondary g0/0/0 interfaces and the VIP should be from same subnet. Then you will have to configure a route on the firewalls to point to the VIP. You can not configure the g0/0/3 and g0/0/0 on the same network...router will say that ip overlaps. I have created a set up similar as yours and I used subinterfaces on the routers but I had to create 5 subnets, one to each firewall, one between the routers, and 2, one from each router to Internet. It is just basic config for routers with static routing.

I have tested by shuting down serial interfae on Primary and Secondary becomes Primary, then open the interface on Primary and routers change roles again.

I will post the picture if you like

Eugen

AlexSamadYieldBroker Thu, 12/29/2011 - 11:12

Um  i use the vlan1 interface which binds together the interfaces so I only have to put an address on the vlan interface not all the interfaces

I don't want to use static routers. I have bgp installed and working.

i think we moving away from the the issue.

standby router can't ping the VIP. it can ping everything else.

ebarticel Thu, 12/29/2011 - 18:08

Hi Alex,

I didn't suggest you to use static routes, I have used static routes in my simulation to try to understand what the problem is and how can be solved.

    On the routers you have, you can't setup an IP address to a vlan, like you do on the switch, unless the interfaces you mentioned (g0/0/0 -g0/0/3) are part of a switching module installed on the router.

     If your g0/0/0 interfaces between the two routers are up and up, then the problem could be with bgp peer configuration.

    If interfaces g0/0/0 are up on both routers but line protocol is down then your ping goes to the firewall first and you need to check if it allows pings on outside interface( i guess it is configured as an outside the one connecting to your secondary router).

   You can use an extended ping from seondary and record the hops it goes thru, then you will know for sure which way it goes out of router.

   One other suggestion is copy the running configurations from both routers, and if you have spare 2 routers connect them together like your topology, use loopback to simulate internet and firewalls and see if it works.

This is all I can suggest now based on the info you provided.

Good luck and hope that you will get to the bottom of it.

Eugen

AlexSamadYieldBroker Thu, 12/29/2011 - 22:02

hi

Thanks for that, I must have missed understood you in regards to the statics!.

I can understand what you are saying about the switch module and such and I believe it is a switch module.

unfortunately I don't any spare routers

extended ping ? i have specified a source interface vlan1

still no luck.

I am still not sure its a routing issue, casue I can ping the other addresses .253 and .250 ...

I will have some time to run some more tests next year (this weekend )

A

Actions

Login or Register to take actions

This Discussion

Posted December 27, 2011 at 2:45 PM
Stats:
Replies:39 Avg. Rating:2
Views:1219 Votes:0
Shares:0
Tags: hsrp, routing
+
Categories: Routers
+

Related Content

Discussions Leaderboard