I configured to cisco router to work in active/standby mode following is the config
standby 1 ip <VIP>
standby 1 priority 105
standby 1 preempt
standby 1 track Serial3/0:0
standby 1 ip <VIP>
standby 1 preempt
confguration is on f0/0 interface and the two routers are conected to the same firewall.
the problem is when i did a shutdowm to serial inteface the HSRP works fine (Active router become Standby )but I can't connect to internet??? attached a debug done when I shutdown serial interface.....
The problem is not releated to HSRP I believe. Your router 2 is active now which means HSRP is working fine. I believe problem is related to routes.
Can you check the default gateway on your machines or firewall is pointing to VIP address configured on both the routers? Also does your router 2 has proper routes configured to reach internet and then back to your firewall?
Can you ping the internet using the ethernet interface as the source interface from the router? Also, can you ping the VIP and the ip address of the serial interface of your router from the firewall.
yes..no problem to connect to internet for the two routers..note that the problem occur only when I tried to do failover, I mean that no problem to connect to internet when the first router is active and second is standby with default route on firewall is VIP IP ,but when I shutdown the serial interface on the first router(active router)I cant connect to internet although the second router change their state from standby to active.
the second router connectivity to internet was tested and it is OK.
If i understand it correctly, you setup should look like this
firewall| ----> Router 1 ---->>ISP
----> Router 2 ---->>
I you just pinged the internet by default it will use the serial interface (or interface that is directly connected to your ISP) as the source. Try extended ping and use FE or the VIP as the source address.
I do a ping to internet using FE as the source interface and the ping succeeded.
my connection is like following:
firewall -->router1 -->ISP
Now that could be an issue. How have you configured your firewall to do a NAT Fallback?
By this I mean your firewall must be doing a NAT with active router serial interface ip or some ip which is allowed by your ISP 1 now when your active router which is router 1 goes down and standby router which is router 2 comes up how will your firewall come to know that now it has to start NAT with router 2 serial interface ip address or any ip address which is allowed by your ISP 2?
Can you please confirm if you have done some check on your firewall for the same?
Could you do a traceroute on the pc, is it via different router when the primary router down. Also please post the running config of these routers and the show standby
1-I change the default route on the firewall to be the second router IP(standby router)and I did a traceroute to yahoo IP.
2-when the default route on the firewall is VIP and the first router is active and second is standby traceroute is ok.
3-when the default route on the firewall is VIP and the first router is standby and second is active traceroute is not ok.??
what you suggest!!!!???
Do paste show IP route on both the routers.
In the first option you mentioned,
"1-I change the default route on the firewall to be the second router IP(standby router)and I did a traceroute to yahoo IP. " Check router-2 is sending traffic to Router-1 and then reaching to internet(Yahoo).
Mostly reverse route might not be abailable thr ISP thr links to both the routers. Check with ISP for backup route to the LAN public network through second router serial link.
I understood your problem but what I will like to know as you mentioned your firewall is doing NAT can you please update how will your firewall do the NAT with second router ip address when your primary router fails?
Can you update more on how you have configured NAT on your firewall?
This is not look like HSRP issue. Pls see the public IP address is routed from ISP thr both router links.. It might be due to reverse route issue from ISP.
I tried to shutdown f0/0 interfarce on the active router the result was the first router change their state to 'init' and the backup router become active,but when I made a trace-route to real IP address from firewall the result was the trace goes to two hops only and stoped although when I made the same trace ( same real IP) from the router itself I can reach the destination without any problem..
If I have understood it properly then your config is as follows:-
Natting on firewall
HSRP between Router1 and Router2
So, The problem lies in the firewall.
In firewall once you have made connection with public ip the session ie the translation will be present even if the internet link fails. You have to give "clear xlate" cmd. and then try to ping the destination once your active router fails.
Please check the command to clear the current translations and current information in Juniper.
You can go through the below link to know more about the cmd.
This solution is temporary solution. Whenever your serial interface goes down your nat translation needs to be changed.
One solution is to do natting on routers itself using stateful nat which will work fine with your HSRP.But this solution is not the best solution if you are using Firewall.
You can take help of Security experts for more solutions.