cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
675
Views
0
Helpful
6
Replies

HSRP - ISA NLBS

bob.forster
Level 1
Level 1

Dual Cisco2821's with Dual ISA Servers on a DMZ.

ISA uses virtual IP's. Want redundant Static NAT's trhu single virtual from ISA but on BOTH Cisco2821's for fail-over.

Get duplicat IP in logs.

Suggestions/Experience??

6 Replies 6

gmarogi
Level 5
Level 5

The error messages do not necessarily indicate an HSRP problem. Rather,the error messages indicate a possible Spanning Tree Protocol (STP) loop or router/switch configuration issue. The error messages are just symptoms of another problem.

Kindly send the error messages logged for an accurate analysis

paolo bevilacqua
Hall of Fame
Hall of Fame

Are you using microsoft NIC teaming ?

router configs ?

Dual ISA Boxes using NLBS into DMZ on Cisco2821's.

Using HWIC-4ESW's in each 2821.

2 ports for HSRP and ISA DMZ

2 ports for HSRP and Internet Access

I have static NAT with 3 x IP's (using SNAT as per TAC).

The three static NAT IP's start showing up as duplicate IP's on both th Cisco2821 logs.

Thanks,

Bob

Hi,

I would need to see both router configs and how they are connected :)

Here is a Visio plus the 2 x configs.

** Please keep confidential **

Thanks,

Bob

Log file

Log Buffer (20000 bytes):

*May 9 17:35:31.691: %IP-4-DUPADDR: Duplicate address 69.46.102.124 on Vlan5, sourced by 001b.533b.0ec0

*May 9 17:36:01.691: %IP-4-DUPADDR: Duplicate address 69.46.102.124 on Vlan5, sourced by 001b.533b.0ec0

*May 9 17:45:01.714: %IP-4-DUPADDR: Duplicate address 69.46.102.123 on Vlan5, sourced by 001b.533b.0ec0

*May 9 17:48:31.724: %IP-4-DUPADDR: Duplicate address 69.46.102.126 on Vlan5, sourced by 001b.533b.0ec0

Hi,

Unfortunately I cannot visualize the visio file.

Anyway, the thing is that you cannot have the same public address configured on both routers for the same sources. Even if HSRP is supposed to get traffic to one router only at time, packet can be emitted sent from ISA to the other router too, arp propagate and the conflict is detected. It may work fine and you can live with the error log, but I would recommend that you check you nic teaming to work in bridge mode to the router / switchs, so that one link is kept down all the time.

That should make packets go to one router only - the hsrp active.

Hope this helps, please rate post if it does!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: