cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3623
Views
8
Helpful
11
Replies

HSRP authentication problem.

rcapao
Level 1
Level 1

Hi,

We have 2 devices configured with HSRP in one interface. Associated to a vlan.

On switch 1:

!
interface Vlan16
description HSRP for HA VMware - 2015Nov13
ip address 10.10.10.5 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
standby 11 ip 10.10.10.7
standby 11 priority 110
standby 11 preempt
standby 11 authentication md5 key-chain globo123
!

On switch 2:

!
interface Vlan16
description HSRP for HA VMware - 2015Nov13
ip address 10.10.10.6 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
standby 11 ip 10.10.10.7
standby 11 preempt
standby 11 authentication md5 key-chain globo123
!

The thing is that we have the following message from switch 1:

370222: Jan 19 02:29:20.439 UTC: %HSRP-4-BADAUTH: Bad authentication from 10.10.10.6, group 11, remote state Active

And, from switch 2:


1308504: Jan 19 02:30:11.823 UTC: %HSRP-4-BADAUTH: Bad authentication from 10.10.10.5, group 11, remote state Active

And also, from switch 1:

370242: Jan 19 02:29:39.290 UTC: HSRP: Vl16 Grp 11 Hello in 10.10.10.6 Active pri 100 vIP 10.10.10.7
370243: Jan 19 02:29:39.290 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello pkt from 129.39.189.3, No key for this key ID
370244: Jan 19 02:29:39.354 UTC: HSRP: Vl16 Grp 11 Hello out 10.10.10.2 Active pri 110 vIP 10.10.10.7
370245: Jan 19 02:29:40.946 UTC: HSRP: Vl16 Grp 11 ARP src 129.39.189.36 tgt 10.10.10.7, reply with mac 0000.0c07.ac0b
370246: Jan 19 02:29:42.058 UTC: HSRP: Vl166 Grp 11 Hello in 10.10.10.6 Active pri 100 vIP 10.10.10.7
370247: Jan 19 02:29:42.058 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello pkt from 129.39.189.3, No key for this key ID
370248: Jan 19 02:29:42.110 UTC: HSRP: Vl16 Grp 11 Hello out 10.10.10.5 Active pri 110 vIP 10.10.10.7
370249: Jan 19 02:29:44.682 UTC: HSRP: Vl16 Grp 11 Hello out 10.10.10.5 Active pri 110 vIP 10.10.10.7
370250: Jan 19 02:29:44.858 UTC: HSRP: Vl16 Grp 11 Hello in 10.10.10.6 Active pri 100 vIP 10.10.10.7
370251: Jan 19 02:29:44.858 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello pkt from 10.10.10.6, No key for this key ID
370252: Jan 19 02:29:47.306 UTC: HSRP: Vl16 Grp 11 Hello out 10.10.10.5 Active pri 110 vIP 10.10.10.7
370253: Jan 19 02:29:47.318 UTC: HSRP: Vl16 Grp 11 Hello in 10.10.10.6 Active pri 100 vIP 10.10.10.7
370254: Jan 19 02:29:47.318 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello pkt from 10.10.10.6, No key for this key ID
370255: Jan 19 02:29:47.630 UTC: HSRP: Vl16 Grp 11 ARP src 172.16.1.41 tgt 10.10.10.7, reply with mac 0000.0c07.ac0b

and also from switch 2:

1308614: Jan 19 02:31:47.308 UTC: HSRP: Vl16 Grp 11 Hello out 10.10.10.6 Active pri 100 vIP 10.10.10.7
1308615: Jan 19 02:31:48.668 UTC: HSRP: Vl16 Grp 11 Hello in 10.10.10.5 Active pri 110 vIP 10.10.10.7
1308616: Jan 19 02:31:48.668 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello pkt from 10.10.10.5, No key for this key ID
1308617: Jan 19 02:31:48.668 UTC: %HSRP-4-BADAUTH: Bad authentication from 10.10.10.5, group 11, remote state Active
1308618: Jan 19 02:31:50.276 UTC: HSRP: Vl16 Grp 11 Hello out 129.39.189.3 Active pri 100 vIP 10.10.10.6
1308619: Jan 19 02:31:51.280 UTC: HSRP: Vl16 Grp 11 Hello in 129.39.189.2 Active pri 110 vIP 10.10.10.6
1308620: Jan 19 02:31:51.280 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello pkt from 129.39.189.2, No key for this key ID
1308621: Jan 19 02:31:51.892 UTC: HSRP: Vl16 Grp 11 ARP src 172.16.1.48 tgt 10.10.10.6, reply with mac 0000.0c07.ac0b
1308622: Jan 19 02:31:52.916 UTC: HSRP: Vl16 Grp 11 Hello out 129.39.189.3 Active pri 100 vIP 10.10.10.6
1308623: Jan 19 02:31:53.856 UTC: HSRP: Vl16 Grp 11 Hello in 129.39.189.2 Active pri 110 vIP 10.10.10.6
1308624: Jan 19 02:31:53.856 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello pkt from 10.10.10.5, No key for this key ID

From the command "show standby" I have for switch 1:

Vlan16 - Group 11
State is Active
2 state changes, last state change 9w3d
Virtual IP address is 10.10.10.7
Active virtual MAC address is 0000.0c07.ac0b
Local virtual MAC address is 0000.0c07.ac0b (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.560 secs
Authentication MD5, key-chain "GSNIFri13unh4ck4bl3"
Preemption enabled
Active router is local
Standby router is unknown
Priority 110 (configured 110)
Group name is "hsrp-Vl16-11" (default)

And for switch 2:

Vlan16 - Group 11
State is Active
2 state changes, last state change 9w3d
Virtual IP address is 10.10.10.7
Active virtual MAC address is 0000.0c07.ac0b
Local virtual MAC address is 0000.0c07.ac0b (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.832 secs
Authentication MD5, key-chain "GSNIFri13unh4ck4bl3"
Preemption enabled
Active router is local
Standby router is unknown
Priority 100 (default 100)
Group name is "hsrp-Vl16-11" (default)

Could someone tell me if this situation could cause the network to stop working?
Or, what kind of problem could I have?

Thanks,

  

                  Rui Capao

    

1 Accepted Solution

Accepted Solutions

Don't blame IOS for the space, blame Windows copy and paste.

It would be great if you would mark my answer as correct if you think it helped you.

View solution in original post

11 Replies 11

Sanjay Shaw
Level 1
Level 1

Hi Rui,

Its seem some connectivity problem between the switch, please let me know how this two switches are been connected.This is y I am asking coz, the error message hints an authentication failure from neighbor switch  while sending hello and it is receiving from 129.39.198.3 which is not desired.

370243: Jan 19 02:29:39.290 UTC: HSRP: Vl16 Grp 11 Auth failed for Hello pkt from 129.39.189.3, No key for this key ID.

Also would suggest to configure the HSRP without authentication key and check the status, once this are in active / standby state then only go for configuring the authentication at both the chassis.

Hi,

the device that is between those switch, does not have any ACL.
So, that message it is a bit strange and I think it is something that was part of the previous data.

Thanks,

Rui Capao

Philip D'Ath
VIP Alumni
VIP Alumni

You haven't shown the key-chain.  Are you absolutely sure it is the same on all devices?  I have been caught out copying and pasting them before with the password containing a trailing space, which you can not see in the "show running" output.  You can drag over it with mouse to see if this is the case though.

I think you should re-key the password on all devices.

Are the two switches running a similar version of software?

Hi,

I am not sure about that.
That was a thing that I already thought about.

I will try to see that possibility... I mean, test that possibility.

Thanks,

       Rui Capao

Hi,

I saw what you advised. And, the problem was right there.

One of the keys was not correct...it had a space.
But in previous devices, this configuration had no problem.
A question of different IOS...?? Probably!

Thanks,

Rui Capao

Don't blame IOS for the space, blame Windows copy and paste.

It would be great if you would mark my answer as correct if you think it helped you.

Thank you very much for your help!!!!

Thank you Rodrigo Rhis!

Milos Megis
Level 3
Level 3

Hello,
probably you thought that "globo123" is your password. But it is a name of key-chain in which the password will be searched.

Try to use following commands on both switches:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#key chain globo123
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string P4ssw0rd
R1(config-keychain-key)#end

P4ssw0rd is your password which you want to use. Must be same on both switches.

Hi,

sorry, I forgot to put that part of the configuration.
But, it is configured like you advised.

Thanks,

     Rui capao

Plz configure the authentication in a proper way on two switches 

(Config) # key chain chain-name(Cisco)

(Config-keychain) # key key-number

(Config-keychain-key) #key-string 0(zero) string(cisco123)

(Exit from this key mode)

Then go to interface

(config) # interface fa0/0 (on which interface you have enable the hsrp)

(Config-if) #standby 1(group number) authentauthentication md5 key-chain Cisco(chain-name)

 

Plz configure the authentication in a proper way on two switches 

(Config) # key chain chain-name(Cisco)

(Config-keychain) # key key-number

(Config-keychain-key) #key-string 0(zero) string(cisco123)

(Exit from this key mode)

Then go to interface

(config) # interface fa0/0 (on which interface you have enable the hsrp)

(Config-if) #standby 1(group number) authentauthentication md5 key-chain Cisco(chain-name)

 

After that or before the above configuration you have to configure a md5 authentication associating with an interface

(Config) # Int fa0/0 (interface on which you have enabled the HSRP

 

(Config-if) #standby 1(group number) authentication md5 key-string 0 (zero) string (Cisco123)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: