Malicious HSRP issue?

axa-wongjeff · ‎01-11-2007

My MSFC has been reporting an issue with HSRP for the past few days. Seeing the following:

33w6d: IP-EIGRP: Neighbor 10.73.136.2 not on common subnet for Vlan158 (10.73.65.3 255.255.255.0)

33w6d: IP-EIGRP: Neighbor 10.73.65.3 not on common subnet for Vlan17 (10.73.136.3 255.255.248.0)

Jan 10 15:02:48: %STANDBY-3-BADAUTH: Bad authentication from 10.73.65.2, remote state Standby

33w6d: IP-EIGRP: Neighbor 10.73.136.2 not on common subnet for Vlan158 (10.73.65.3 255.255.255.0)

33w6d: IP-EIGRP: Neighbor 10.73.65.3 not on common subnet for Vlan17 (10.73.136.3 255.255.248.0)

33w6d: IP-EIGRP: Neighbor 10.73.136.2 not on common subnet for Vlan158 (10.73.65.3 255.255.255.0)

Jan 10 15:03:19: %STANDBY-3-BADAUTH: Bad authentication from 10.73.136.2, remote state Active

I know what everyone will say "Check authentication". Been there done that.

Topology:

2 Cat6509s. Each with dual Supervisor/MSFC modules. Both switches connect together via Etherchannel. HSRP Vlan peers are setup where peer 1 is in Switch/MSFC-1 and peer 2 is in Switch/MSFC-2.

MSFC configuration:

Compared running and starting configuration on both MSFCs. IP addressing and HSRP authentication are correct.

MSFC-1

----------

interface Vlan17

ip address x.x.17.130 255.255.255.0 secondary

ip address 10.73.136.2 255.255.248.0

no ip redirects

no ip unreachables

ip pim version 1

ip pim sparse-mode

standby 1 timers 5 15

standby 1 priority 110 preempt

standby 1 authentication vlan17

standby 1 ip 10.73.136.1

standby 1 ip x.x.17.129 secondary

interface Vlan158

ip address x.x.158.2 255.255.255.0 secondary

ip address 10.73.65.2 255.255.255.0

no ip redirects

no ip unreachables

ip pim version 1

ip pim sparse-mode

standby 1 timers 5 15

standby 1 priority 110 preempt

standby 1 authentication vlan158

standby 1 ip 10.73.65.1

standby 1 ip x.x.158.1 secondary

end

MSFC-2

-----------

interface Vlan17

ip address x.x.17.131 255.255.255.0 secondary

ip address 10.73.136.3 255.255.248.0

no ip redirects

no ip unreachables

ip pim version 1

ip pim sparse-mode

standby 1 timers 5 15

standby 1 priority 100 preempt

standby 1 authentication vlan17

standby 1 ip 10.73.136.1

standby 1 ip x.x.17.129 secondary

end

interface Vlan158

ip address x.x.158.3 255.255.255.0 secondary

ip address 10.73.65.3 255.255.255.0

no ip redirects

no ip unreachables

ip pim version 1

ip pim sparse-mode

standby 1 timers 5 15

standby 1 priority 100 preempt

standby 1 authentication vlan158

standby 1 ip 10.73.65.1

standby 1 ip x.x.158.1 secondary

end

====================================

My question is why is my Vlan 17 neighbor trying to authenticate with my Vlan 158 neighbor according to the syslog message? I believe this is why the authentication message appears. These messages are only occurring on 1 of the MSFCs.

Richard Burts · ‎01-11-2007

Jeffrey

The symptoms sound like the switches/VLANs are cross connected: interface VLAN17 seems to be receiving data from VLAN158 of the other switch. The error messages not only show a problem with HSRP but also show a problem with EIGRP.

Is there a possibility that some port got connected wrong? Or is there a possibility that there is a mismatched native VLAN between the switches?

The configs look correct, but if there is some kind of cross connect it would explain both the authentication error in HSRP (it is expecting to authenticate with vlan17 but is receiving vlan158) and the EIGRP error message.

HTH

Rick

HTH

Rick