Solved: HSRP authentication not working between 2 switches

mahesh18 · ‎11-10-2013

Hi Everyone,

HSRP was working fine between 2 switches.

I config authen on vlan 20 on switch A

Switch A

3550SMIA#sh run int vlan 20

Building configuration...

Current configuration : 261 bytes

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip ospf hello-interval 40

standby 1 ip 192.168.20.3

standby 1 priority 150

standby 1 preempt delay minimum 60

standby 1 authentication md5 key-chain mahesh

standby 1 track FastEthernet0/11 60

Vlan20 - Group 1

State is Active

2 state changes, last state change 7w2d

Virtual IP address is 192.168.20.3

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 1.968 secs

Authentication MD5, key-chain "mahesh"

Preemption enabled, delay min 60 secs

Active router is local

Standby router is unknown

Priority 150 (configured 150)

Track interface FastEthernet0/11 state Up decrement 60

IP redundancy name is "hsrp-Vl20-1" (default)

Switch B

3550SMIB# sh run int vlan 20
Building configuration...

Current configuration : 200 bytes
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip ospf hello-interval 40
standby 1 ip 192.168.20.3
standby 1 preempt delay minimum 60
standby 1 authentication md5 key-chain mahesh

Vlan20 - Group 1

State is Active

2 state changes, last state change 00:28:06

Virtual IP address is 192.168.20.3

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.400 secs

Authentication MD5, key-chain "mahesh"

Preemption enabled, delay min 60 secs

Active router is local

Standby router is unknown

Priority 100 (default 100)

IP redundancy name is "hsrp-Vl20-1" (default)

Vlan30 - Group 2

There is layer 2 and layer 3 IP connectivity between two switches

Both switches have ospf running between them.

Bothe switches are reporting as active.

Regards

MAhesh

Richard Burts · ‎11-10-2013

Mahesh

It would appear that there is a problem with the authentication that you configured using key chain mahesh. But you have provided no information for us about this key chain. So our ability to find the issue is quite limited. Additional information, especially about the key chain would be most helpful.

HTH

Rick

HTH

Rick

View solution in original post

Karthick Murugan · ‎11-10-2013

Hi Mahesh,

I guess you have not defined the Key-Chain. Please look at the same configuration below.

key chain mahesh

key 1

key-string cisco

A

Building configuration...

Current configuration : 129 bytes

!

interface Vlan40

ip address 40.1.1.1 255.255.255.0

standby 1 ip 40.1.1.3

standby 1 authentication md5 key-chain mahesh

end

B

Current configuration : 129 bytes

!

interface Vlan40

ip address 40.1.1.1 255.255.255.0

standby 1 ip 40.1.1.3

standby 1 authentication md5 key-chain mahesh

en

sh standby bri

P indicates configured to preempt.

|

Interface Grp Pri P State Active Standby Virtual IP

Vl40 1 100 Active local 40.1.1.1 40.1.1.3

Hope it helps

Regards,

Karthick Murugan

Thanks & Regards, Karthick Murugan CCIE#39285

View solution in original post

Karthick Murugan · ‎11-10-2013

Mahesh,

I am really glad that the issue is resolved.

To answer your question, if you are using Key chain based authentication, you need to configure a key without which the authentication wouldn't work. However, you can configure more than 1 key with more than 1 key-string and you have an option to choose a specific key for specific duration.

If you wish to include just the MD5 password then the configuration will look like this below and it doesn't require key-chain/key configuration.

interface Vlan40

ip address 40.1.1.1 255.255.255.0

standby 1 ip 40.1.1.3

standby 1 authentication md5 key-string mahesh

Thanks

Karthick Murugan

CCIE#39285(R&S)

Thanks & Regards, Karthick Murugan CCIE#39285

View solution in original post

Richard Burts · ‎11-10-2013

Mahesh

It would appear that there is a problem with the authentication that you configured using key chain mahesh. But you have provided no information for us about this key chain. So our ability to find the issue is quite limited. Additional information, especially about the key chain would be most helpful.

HTH

Rick

HTH

Rick

mahesh18 · ‎11-10-2013

Hi Rick,

I have this config under both switches.

sh key chain mahesh

Key-chain mahesh:

do i need to add below config also--

key 1

key-string cisco

I will try those and will update you.

Regards

MAhesh

Karthick Murugan · ‎11-10-2013

Hi Mahesh,

I guess you have not defined the Key-Chain. Please look at the same configuration below.

key chain mahesh

key 1

key-string cisco

A

Building configuration...

Current configuration : 129 bytes

!

interface Vlan40

ip address 40.1.1.1 255.255.255.0

standby 1 ip 40.1.1.3

standby 1 authentication md5 key-chain mahesh

end

B

Current configuration : 129 bytes

!

interface Vlan40

ip address 40.1.1.1 255.255.255.0

standby 1 ip 40.1.1.3

standby 1 authentication md5 key-chain mahesh

en

sh standby bri

P indicates configured to preempt.

|

Interface Grp Pri P State Active Standby Virtual IP

Vl40 1 100 Active local 40.1.1.1 40.1.1.3

Hope it helps

Regards,

Karthick Murugan

Thanks & Regards, Karthick Murugan CCIE#39285

mahesh18 · ‎11-10-2013

Hi KArthick,

I have this key chain config on both switches

#sh key chain mahesh

Key-chain mahesh:

Will add full key chain config and will update you.

Regards

MAhesh

mahesh18 · ‎11-10-2013

Hi Rick & Karthick,

So adding full key chain config

key chain mahesh

key 1

key-string cisco

fixed the issue.

just need to know why we need key 1 and key-string cisco configured on both switches?

so it means when we enable hsrp authen then single config og key chain mahesh will not work?

Regards

MAhesh

Karthick Murugan · ‎11-10-2013

Mahesh,

I am really glad that the issue is resolved.

To answer your question, if you are using Key chain based authentication, you need to configure a key without which the authentication wouldn't work. However, you can configure more than 1 key with more than 1 key-string and you have an option to choose a specific key for specific duration.

If you wish to include just the MD5 password then the configuration will look like this below and it doesn't require key-chain/key configuration.

interface Vlan40

ip address 40.1.1.1 255.255.255.0

standby 1 ip 40.1.1.3

standby 1 authentication md5 key-string mahesh

Thanks

Karthick Murugan

CCIE#39285(R&S)

Thanks & Regards, Karthick Murugan CCIE#39285

mahesh18 · ‎11-10-2013

Hi KArthick,

Many thanks for great explanation.

Best regards

MAhesh