Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with 2901 hsrvp

Hi

I have 2 x 2901 in a hsrvp setup.

so I have some wan ports attached to both of these routers and I have 1 port from each router attached 1 a sw (switches in clustered mode). and 1 port attach to each other.

The ports from the router to the switch and each other are part of vlan1 and I have hsrp configured on vlan1

interface Vlan1

description to firewall

ip address a.b.c.252 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

interface Vlan1

description to firewall

ip address a.b.c.253 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

my problem is when i log into the standby router I can't ping the VIP a.b.c.254

standby seems to be working.

Alex

Everyone's tags (2)
39 REPLIES
VIP Super Bronze

Problems with 2901 hsrvp

Hi Alex,

Can you set a priority for the master switch and test again?

example:

standby 2 priority 110
also the group range is from 1 to 255.  Can you try a different group number between 1 and 255?

HTH

New Member

Problems with 2901 hsrvp

Hi

I actually have, sorry I cut and pasted from the slave router

primary

interface Vlan1

ip address a.b.c.d.253 255.255.255.0

standby 0 ip a.b.c.d.254

standby 0 priority 105

standby 0 preempt

standby 0 authentication md5 key-string 7 SOMETHING

standby 0 name internet

sho standby

Vlan1 - Group 0

  State is Active

    1 state change, last state change 38w4d

  Virtual IP address is a.b.c.254

  Active virtual MAC address is 0000.0c07.ac00

    Local virtual MAC address is 0000.0c07.ac00 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 2.544 secs

  Authentication MD5, key-string

  Preemption enabled

  Active router is local

  Standby router is a.b.c.252, priority 100 (expires in 10.000 sec)

  Priority 105 (configured 105)

  Group name is "internet" (cfgd)

backup router

interface Vlan1

ip address a.b.c.252 255.255.255.0

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 SMOETHING

standby 0 name internet

show standby

Vlan1 - Group 0

  State is Standby

    4 state changes, last state change 1d03h

  Virtual IP address is a.b.c.254

  Active virtual MAC address is 0000.0c07.ac00

    Local virtual MAC address is 0000.0c07.ac00 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 2.448 secs

  Authentication MD5, key-string

  Preemption enabled

  Active router is a.b.c.253, priority 105 (expires in 9.360 sec)

  Standby router is local

  Priority 100 (default 100)

  Group name is "internet" (cfgd)

so ping from primary to .254 work

ping from secondard to 254 times out ....

New Member

Problems with 2901 hsrvp

Many things can cause such behaviour...

Let`s try the most common one first.

Check wether both routers are listening to 224.0.0.2 (.102 is its hsrp v2), to do that issue the command "sh ip interface" on both routers.

I would suggest to remove the config and apply again, in case you suspect they are not hearing each other, also you can try to ping the MCAST address to see who responds the icmp echo request.

hope this helps

Please, rate useful posts.

New Member

Problems with 2901 hsrvp

sh ip interface

shows me vlan1 on both routers has

224.0.0.2 associated with it

I tried pinging the 224.0.0.2 address and I got replies from the not only the local addresses, but also the wan addresses attached to the router ??

I don't believe that the routers are not hearing the heartbeats.

So i can ping the .254 address from primary router and from another device except from the the secondary router..

but it means any traffic coming in on the secondary can't ping .254

New Member

Problems with 2901 hsrvp

What about arp cache on stanby router.

New Member

Problems with 2901 hsrvp

i presume you mean

show arp

and see if the mac address is in the table.. it is and its the correct one

same on the primary

New Member

Problems with 2901 hsrvp

yes, you presumed correctly.

so, the address a.b.c.254 is bounded to MAC 0000.0c07.ac00

there's a thread, i haven't gone through it all,  you can try.

https://supportforums.cisco.com/thread/2037773

New Member

Problems with 2901 hsrvp

Hi

Not sure if that is the same problem I am having.

So except for the standby router. All other devices on the ethernet segment can ping .254 and they can ping the real address of the routers (pri & sec).

pri can ping .254 .253 .252

but sec can only ping .253 .252 (the real addresses of the routers...

Alex

New Member

Problems with 2901 hsrvp

Hi Alex,

here's more you can try :

on the standby router.

"sh ip route x.x.x.254" , see if recognises the address.

check the output of

access-list 101 permit icmp any any

debug ip packet detail 101

end

ping x.x.x.254

see if the output gives any clues- see if its getting routed or not,

also, check whether there is any ACL blocking udp 1985,

New Member

Problems with 2901 hsrvp

sh ip rou

show me that the router believes it is on vlan1 directly connected (the right info)

Q) dont I have to attach 101 to an interface ? in my case vlan1

and isn't there an implied deny any any at the end of the list

tried it any way

025026: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254, len 100, local feature

025027: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0, Policy Routing(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025028: Dec 28 15:23:26 AEDT: FIBipv4-packet-proc: route packet from (local) src a.b.c.252 dst a.b.c.254

025029: Dec 28 15:23:26 AEDT: FIBfwd-proc: packet routed by adj to Vlan1 a.b.c.254

025030: Dec 28 15:23:26 AEDT: FIBipv4-packet-proc: packet routing succeeded

025031: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending

025032: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0

025033: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025034: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0, Post-Ingress-NetFlow(62), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025035: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025036: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0, Post-Input-Flexible-NetFlow(73), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025037: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending full packet

025038: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0

025040: Dec 28 15:23:27 AEDT:  IP: s=a.b.c.253, d=224.0.0.2, pak 2A16FD60 consumed in input feature , packet consumed, MCI Check(73), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE.

025041: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254, len 100, local feature

025042: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0, Policy Routing(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025043: Dec 28 15:23:28 AEDT: FIBipv4-packet-proc: route packet from (local) src a.b.c.252 dst a.b.c.254

025044: Dec 28 15:23:28 AEDT: FIBfwd-proc: packet routed by adj to Vlan1 a.b.c.254

025045: Dec 28 15:23:28 AEDT: FIBipv4-packet-proc: packet routing succeeded

025046: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending

025047: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0

025048: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025049: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0, Post-Ingress-NetFlow(62), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025050: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025051: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0, Post-Input-Flexible-NetFlow(73), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025052: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending full packet

025053: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0.

025054: Dec 28 15:23:30 AEDT:  IP: s=a.b.c.253, d=224.0.0.2, pak 2A866DF8 consumed in input feature , packet consumed, MCI Check(73), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025055: Dec 28 15:23:30 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254, len 100, local feature

025056: Dec 28 15:23:30 AEDT:     ICMP type=8, code=0, Policy Routing(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025057: Dec 28 15:23:30 AEDT: FIBipv4-packet-proc: route packet from (local) src a.b.c.252 dst a.b.c.254

025058: Dec 28 15:23:30 AEDT: FIBfwd-proc: packet routed by adj to Vlan1 a.b.c.254

025059: Dec 28 15:23:30 AEDT: FIBipv4-packet-proc: packet routing succeeded

seems to be working (sending packets from the sec, will try from the pri)

i don't see it turn on up the pri, i tried pinging the real address .253 and it showed up...

New Member

Problems with 2901 hsrvp

A.  yes there is a implicit deny, as we are only interested in seeing the ICMP debug, and we dont need to apply it on any interface, as we are not filtering any incoming or outgoing traffic, but the debug output only.

New Member

Problems with 2901 hsrvp

Hi ,

issue the command Clear mac-address table dynamic and check it once.

With Rgds,

M Satish Kumar

New Member

Re: Problems with 2901 hsrvp

clear max didn't fix anything but it got me looking at the arp table as well.

standby#sh arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  a.b.c.1           210   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.2            29   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.4           192   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.7           126   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.9           167   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.10          155   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.12          112   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.13          171   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.15          174   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.99           50   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.127          33   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.129         193   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.199          38   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.250          18   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.251          35   d0d0.fd99.079b  ARPA   Vlan1

Internet  a.b.c.252           -   c471.fe78.4923  ARPA   Vlan1

Internet  a.b.c.253           0   588d.09bb.9b5b  ARPA   Vlan1

Internet  a.b.c.254          60   0000.0c07.ac00  ARPA   Vlan1

standby#show mac-address-table

EHWIC Slot: 0

Destination Address     Address Type    VLAN    Destination Port

-------------------     ------------    ----    -----------------

c471.fe78.4923          Self               1    Vlan1

d0d0.fd5b.c5bd          Dynamic            1    GigabitEthernet0/0/0

d0d0.fd99.079b          Dynamic            1    GigabitEthernet0/0/3

0000.0c07.ac00          Dynamic            1    GigabitEthernet0/0/0

588d.09bb.9b5b          Dynamic            1    GigabitEthernet0/0/0

d0d0.fd94.c628          Dynamic            1    GigabitEthernet0/0/0

standby#sh vlan-switch

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Gi0/0/0, Gi0/0/2, Gi0/0/3

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        1002   1003

so gi0/0/0 is direct attach cable to primary router

so gi0/0/3 is attached to the sw (stacked switch this to one the other router to the other switch)

so gi0/0/2 not connected

it looks all okay...

EDIT -> all this is from the standby router

Bronze

Problems with 2901 hsrvp

I think you should check the authentication as well and maybe have a delay timer configured with preempt command

Hope it helps

Eugen

New Member

Problems with 2901 hsrvp

Hi

Pretty sure authentication is okay, they heartbeats seem to be working and not timing out. also for the brief period I had one authenticated and one not authenticated I received errors in my syslog, which went away once I reconfigured the second interface.

as for the delay time

not sure what it is nor how it will help me ping the vip from the standby router

Bronze

Problems with 2901 hsrvp

The delay time is for the primary to know how long to wait to become primary again, usually is greater than default to give enough time for routing protocol to converge (bgp takes a bit longer than ospf or eigrp).

I am thinking that you should change priority on the secondary to become primary for a while,this will associate mac address of secondary with VIP, because at the moment the primary doesn't know where to send the ping replies. The secondary MAC address is associated with IP address of interface but not with VIP in the primary MAC table.

Other option is to create a static mapping on the primary for secondary MAC and VIP.

I hope this helps

Eugen

Bronze

Problems with 2901 hsrvp

add on to previous message...

this is entry for secondary on your primary

Internet  a.b.c.252           -   c471.fe78.4923  ARPA   Vlan1

The primary needs to have an entry for the

c471.fe78.4923 to be associated with a.b.c.254 as well

If you make secondary primary for a while then primary will learn and asociated the MAC with VIP as well

New Member

Re: Problems with 2901 hsrvp

Okay I am lost on what you are trying to say is the problem and what the potential fix might be.

if i ignore the standby router, I can ping .254 from other devices, for ex the firewall and from the internet (as long as its not routed over the standby router).

I can ping from the primary to the standby using the fixed addresses (.253, .252)  and vis versa, what I can't do is ping from the standby to the VIP (which is on the primary).

I did a packet debug which showed that the packet was actually leavin the router on the right interface (I believe)

New Member

Re: Problems with 2901 hsrvp

>>The delay time is for the primary to know how long to wait to become primary again, usually is greater than default to give enough time for routing protocol >>to converge (bgp takes a bit longer than ospf or eigrp).

okay I will have to look at this once I have solved this problem.

>>I am thinking that you should change priority on the secondary to become primary for a while,this will associate mac address of secondary with VIP, >>because at the moment the primary doesn't know where to send the ping replies. The secondary MAC address is associated with IP address of interface >>but not with VIP in the primary MAC table.

??? I didn't actually show the mac table on the primary router.  but  why it think this is not the case is

primary                                    standby

a.b.c.253                              a.b.c.252

from

a.b.c.253 i can ping a.b.c.252

a.b.c.252 i can ping a.b.c.253

a.b.c.253 i can ping a.b.c.254

I can't ping a.b.c.254 from a.b.c.252

so from this I can presume that primary can ping standby.

as this is production stuff I don't want to push over VIP.

This is actually all part of testing the redundancy and to see if it works as advertised so currently I don't have faith in it actually working . I see not reason for it not to but I don't see any reason for it not to be able to ping 254 from 252 either

>>Other option is to create a static mapping on the primary for secondary MAC and VIP.

I don't get this, why would I want to hard code routing for a floating VIP ?  and what would it do when the VIP exist on the local router ?

Alex

Bronze

Re: Problems with 2901 hsrvp

The static mapping is just to verify that there is redundancy and you will be able to test pings from secondary.

If it is a live environment, i guess you should test it when there is not much traffic. The only thing you should change is the priority value on secondary, wait until it becomes primary, ping the VIP from both and if all is good, just change the priority back to previous values.

Eugen

New Member

Re: Problems with 2901 hsrvp

Dear Alex ,

how is the connectivity of switches..Can you provide us network diagram..

With rgds,

Satish

New Member

Re: Problems with 2901 hsrvp

Does that help

The standby config is configured on vlan1, which gi0/0/ gi0/0/3 are members of

New Member

Re: Problems with 2901 hsrvp

Hi ,

Can you provide us config of interfaces which are conncted to switches back to back.

Have you configured ether channel for connecting switches ?

With Rgds,

Satish

New Member

Re: Problems with 2901 hsrvp

primary

interface GigabitEthernet0/0/0

description connect standby

interface GigabitEthernet0/0/3

description connect asa

interface Vlan1

ip address a.b.c.253 255.255.255.0

standby 0 ip a.b.c..254

standby 0 priority 105

standby 0 preempt

standby 0 authentication md5 key-string 7 something

standby 0 name internet

standby

interface GigabitEthernet0/0/0

description connect primary

!        

!        

interface GigabitEthernet0/0/3

description connect asa5000

interface Vlan1

description to firewall

ip address a.b.c.252 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

Alex

New Member

Re: Problems with 2901 hsrvp

Switch1G0/0/0 ---- G0/0/0 Switch2 Am i right...

Is it trunk port ? if it is trunk port which vlan's are allowed..

New Member

Re: Problems with 2901 hsrvp

This is a cisco asa 5000 firewall appliance... i don't believe its trunk.. but only vlan1

New Member

Re: Problems with 2901 hsrvp

Hi Alex ,

How is the connectivity between switches ?

New Member

Re: Problems with 2901 hsrvp

?? sorry I don't think I understand ??

The 2  2901's connect by cable to each other and by cable to 2 asa5000 firewall applainces which are in a active/passive stack/cluster..

Bronze

Re: Problems with 2901 hsrvp

Does the 2901 routers have switching module installed, or you use the default LAN interfaces to connect between routers?

1329
Views
2
Helpful
39
Replies
CreatePlease login to create content