Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

HSRP - ISA NLBS

Dual Cisco2821's with Dual ISA Servers on a DMZ.

ISA uses virtual IP's. Want redundant Static NAT's trhu single virtual from ISA but on BOTH Cisco2821's for fail-over.

Get duplicat IP in logs.

Suggestions/Experience??

6 REPLIES
Bronze

Re: HSRP - ISA NLBS

The error messages do not necessarily indicate an HSRP problem. Rather,the error messages indicate a possible Spanning Tree Protocol (STP) loop or router/switch configuration issue. The error messages are just symptoms of another problem.

Kindly send the error messages logged for an accurate analysis

Hall of Fame Super Gold

Re: HSRP - ISA NLBS

Are you using microsoft NIC teaming ?

router configs ?

New Member

Re: HSRP - ISA NLBS

Dual ISA Boxes using NLBS into DMZ on Cisco2821's.

Using HWIC-4ESW's in each 2821.

2 ports for HSRP and ISA DMZ

2 ports for HSRP and Internet Access

I have static NAT with 3 x IP's (using SNAT as per TAC).

The three static NAT IP's start showing up as duplicate IP's on both th Cisco2821 logs.

Thanks,

Bob

Hall of Fame Super Gold

Re: HSRP - ISA NLBS

Hi,

I would need to see both router configs and how they are connected :)

New Member

Re: HSRP - ISA NLBS

Here is a Visio plus the 2 x configs.

** Please keep confidential **

Thanks,

Bob

Log file

Log Buffer (20000 bytes):

*May 9 17:35:31.691: %IP-4-DUPADDR: Duplicate address 69.46.102.124 on Vlan5, sourced by 001b.533b.0ec0

*May 9 17:36:01.691: %IP-4-DUPADDR: Duplicate address 69.46.102.124 on Vlan5, sourced by 001b.533b.0ec0

*May 9 17:45:01.714: %IP-4-DUPADDR: Duplicate address 69.46.102.123 on Vlan5, sourced by 001b.533b.0ec0

*May 9 17:48:31.724: %IP-4-DUPADDR: Duplicate address 69.46.102.126 on Vlan5, sourced by 001b.533b.0ec0

Hall of Fame Super Gold

Re: HSRP - ISA NLBS

Hi,

Unfortunately I cannot visualize the visio file.

Anyway, the thing is that you cannot have the same public address configured on both routers for the same sources. Even if HSRP is supposed to get traffic to one router only at time, packet can be emitted sent from ISA to the other router too, arp propagate and the conflict is detected. It may work fine and you can live with the error log, but I would recommend that you check you nic teaming to work in bridge mode to the router / switchs, so that one link is kept down all the time.

That should make packets go to one router only - the hsrp active.

Hope this helps, please rate post if it does!

151
Views
0
Helpful
6
Replies
CreatePlease to create content