11-10-2013 05:14 PM - edited 03-07-2019 04:31 PM
Hi Everyone,
HSRP was working fine between 2 switches.
I config authen on vlan 20 on switch A
Switch A
3550SMIA#sh run int vlan 20
Building configuration...
Current configuration : 261 bytes
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip ospf hello-interval 40
standby 1 ip 192.168.20.3
standby 1 priority 150
standby 1 preempt delay minimum 60
standby 1 authentication md5 key-chain mahesh
standby 1 track FastEthernet0/11 60
Vlan20 - Group 1
State is Active
2 state changes, last state change 7w2d
Virtual IP address is 192.168.20.3
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.968 secs
Authentication MD5, key-chain "mahesh"
Preemption enabled, delay min 60 secs
Active router is local
Standby router is unknown
Priority 150 (configured 150)
Track interface FastEthernet0/11 state Up decrement 60
IP redundancy name is "hsrp-Vl20-1" (default)
Switch B
3550SMIB# sh run int vlan 20
Building configuration...
Current configuration : 200 bytes
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip ospf hello-interval 40
standby 1 ip 192.168.20.3
standby 1 preempt delay minimum 60
standby 1 authentication md5 key-chain mahesh
Vlan20 - Group 1
State is Active
2 state changes, last state change 00:28:06
Virtual IP address is 192.168.20.3
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.400 secs
Authentication MD5, key-chain "mahesh"
Preemption enabled, delay min 60 secs
Active router is local
Standby router is unknown
Priority 100 (default 100)
IP redundancy name is "hsrp-Vl20-1" (default)
Vlan30 - Group 2
There is layer 2 and layer 3 IP connectivity between two switches
Both switches have ospf running between them.
Bothe switches are reporting as active.
Regards
MAhesh
Solved! Go to Solution.
11-10-2013 05:46 PM
Mahesh
It would appear that there is a problem with the authentication that you configured using key chain mahesh. But you have provided no information for us about this key chain. So our ability to find the issue is quite limited. Additional information, especially about the key chain would be most helpful.
HTH
Rick
11-10-2013 05:47 PM
Hi Mahesh,
I guess you have not defined the Key-Chain. Please look at the same configuration below.
key chain mahesh
key 1
key-string cisco
A
Building configuration...
Current configuration : 129 bytes
!
interface Vlan40
ip address 40.1.1.1 255.255.255.0
standby 1 ip 40.1.1.3
standby 1 authentication md5 key-chain mahesh
end
B
Current configuration : 129 bytes
!
interface Vlan40
ip address 40.1.1.1 255.255.255.0
standby 1 ip 40.1.1.3
standby 1 authentication md5 key-chain mahesh
en
sh standby bri
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl40 1 100 Active local 40.1.1.1 40.1.1.3
Hope it helps
Regards,
Karthick Murugan
11-10-2013 06:23 PM
Mahesh,
I am really glad that the issue is resolved.
To answer your question, if you are using Key chain based authentication, you need to configure a key without which the authentication wouldn't work. However, you can configure more than 1 key with more than 1 key-string and you have an option to choose a specific key for specific duration.
If you wish to include just the MD5 password then the configuration will look like this below and it doesn't require key-chain/key configuration.
interface Vlan40
ip address 40.1.1.1 255.255.255.0
standby 1 ip 40.1.1.3
standby 1 authentication md5 key-string mahesh
Thanks
Karthick Murugan
CCIE#39285(R&S)
11-10-2013 05:46 PM
Mahesh
It would appear that there is a problem with the authentication that you configured using key chain mahesh. But you have provided no information for us about this key chain. So our ability to find the issue is quite limited. Additional information, especially about the key chain would be most helpful.
HTH
Rick
11-10-2013 06:10 PM
Hi Rick,
I have this config under both switches.
sh key chain mahesh
Key-chain mahesh:
do i need to add below config also--
key 1
key-string cisco
I will try those and will update you.
Regards
MAhesh
11-10-2013 05:47 PM
Hi Mahesh,
I guess you have not defined the Key-Chain. Please look at the same configuration below.
key chain mahesh
key 1
key-string cisco
A
Building configuration...
Current configuration : 129 bytes
!
interface Vlan40
ip address 40.1.1.1 255.255.255.0
standby 1 ip 40.1.1.3
standby 1 authentication md5 key-chain mahesh
end
B
Current configuration : 129 bytes
!
interface Vlan40
ip address 40.1.1.1 255.255.255.0
standby 1 ip 40.1.1.3
standby 1 authentication md5 key-chain mahesh
en
sh standby bri
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl40 1 100 Active local 40.1.1.1 40.1.1.3
Hope it helps
Regards,
Karthick Murugan
11-10-2013 06:12 PM
Hi KArthick,
I have this key chain config on both switches
#sh key chain mahesh
Key-chain mahesh:
Will add full key chain config and will update you.
Regards
MAhesh
11-10-2013 06:16 PM
Hi Rick & Karthick,
So adding full key chain config
key chain mahesh
key 1
key-string cisco
fixed the issue.
just need to know why we need key 1 and key-string cisco configured on both switches?
so it means when we enable hsrp authen then single config og key chain mahesh will not work?
Regards
MAhesh
11-10-2013 06:23 PM
Mahesh,
I am really glad that the issue is resolved.
To answer your question, if you are using Key chain based authentication, you need to configure a key without which the authentication wouldn't work. However, you can configure more than 1 key with more than 1 key-string and you have an option to choose a specific key for specific duration.
If you wish to include just the MD5 password then the configuration will look like this below and it doesn't require key-chain/key configuration.
interface Vlan40
ip address 40.1.1.1 255.255.255.0
standby 1 ip 40.1.1.3
standby 1 authentication md5 key-string mahesh
Thanks
Karthick Murugan
CCIE#39285(R&S)
11-10-2013 06:28 PM
Hi KArthick,
Many thanks for great explanation.
Best regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide