Re: HSRP output varies when issuing the "show standby" command

Anand Narayana · ‎09-28-2006

Hi,

find the configuration & output below for 3 different switches running hsrp, 6509main/standby are on the same chassis, 3750 is connected to 6509 residing in a different floor running hsrp. i hav configured several vlans, configuration & output are same for all other vlans i mean it is perfect, but no access-list configured for rest of the vlans, access-list have set only for vlan 200 to deny packets only for vlan 201, even vlan 201 the output is perfect, but when i issue the commands in vlan 200, i could see in all the 3 outputs of diff. switches, they say they are ACTIVE, which is not a normal behaviour, bcoz based on the priority only 1 will b the MAIN, other will b the STANDBY & other will b in LISTEN, but here i am not getting those thingz, any helps are suggesting would be appreciated. as if now no problems i am facing, but wanted to know why this behaviour is.even the standby router it shows "unknown"

Cisco3750-Standby#sh run int vl 200

Building configuration...

Current configuration : 267 bytes

!

interface Vlan200

description ***PCR NETWORK***

ip address 192.168.2.251 255.255.255.0

ip access-group 102 in

ip access-group 104 out

ip pim sparse-mode

standby 200 ip 192.168.2.252

standby 200 timers 5 15

standby 200 priority 108

standby 200 preempt

end

Cisco3750-Standby#sh standby vl 200

Vlan200 - Group 200

State is Active

2 state changes, last state change 20w6d

Virtual IP address is 192.168.2.252

Active virtual MAC address is 0000.0c07.acc8

Local virtual MAC address is 0000.0c07.acc8 (v1 default)

Hello time 5 sec, hold time 15 sec

Next hello sent in 1.267 secs

Preemption enabled

Active router is local

Standby router is unknown

Priority 108 (configured 108)

IP redundancy name is "hsrp-Vl200-200" (default)

Cat6509-L3-Main#sh run int vl 200

Building configuration...

Current configuration : 295 bytes

!

interface Vlan200

description ***PCR Network***

ip address 192.168.2.254 255.255.255.0

ip access-group 102 in

ip access-group 104 out

no ip redirects

ip pim sparse-mode

mls rp ip

standby 200 ip 192.168.2.252

standby 200 timers 5 15

standby 200 priority 109

standby 200 preempt

end

Cat6509-L3-Main#sh standby vl 200

Vlan200 - Group 200

Local state is Active, priority 109, may preempt

Hellotime 5 sec, holdtime 15 sec

Next hello sent in 0.762

Virtual IP address is 192.168.2.252 configured

Active router is local

Standby router is unknown

Virtual mac address is 0000.0c07.acc8

26 state changes, last state change 24w3d

IP redundancy name is "hsrp-Vl200-200" (default)

Cat6509-L3-Standby#sh run int vl 200

Building configuration...

Current configuration : 295 bytes

!

interface Vlan200

description ***PCR Network***

ip address 192.168.2.253 255.255.255.0

ip access-group 102 in

ip access-group 104 out

no ip redirects

ip pim sparse-mode

mls rp ip

standby 200 ip 192.168.2.252

standby 200 timers 5 15

standby 200 priority 110

standby 200 preempt

end

Cat6509-L3-Standby#sh standby vlan 200

Vlan200 - Group 200

Local state is Active, priority 110, may preempt

Hellotime 5 sec, holdtime 15 sec

Next hello sent in 4.454

Virtual IP address is 192.168.2.252 configured

Active router is local

Standby router is unknown

Virtual mac address is 0000.0c07.acc8

4 state changes, last state change 41w6d

IP redundancy name is "hsrp-Vl200-200" (default)

Edison Ortiz · ‎09-28-2006

Can you remove the ACL on the interfaces and test again ?

Can you run debug against HSRP with

#debug standby errors

#debug standby events

royalblues · ‎09-28-2006

Hi,

You should check the connectivity between the HSRP peers as the output shows that both the peers have the standby router status as unknown.

Are both physical addresses reachable from each other. Also try removing the access-list from the vlan interface and issue the command which will eliminate any access-list issues.

HTH

Please rate useful posts

Narayan

Anand Narayana · ‎09-28-2006

Hi,

i juz keep coming messesage in "show logging" when i do that debugging?

also the ip addresses are reachable to the physical interfaces

but i wanted to have access-list command to be present in the interface for security reasonz. but will it cause juz bcoz of that?

004348: 20w6d: HSRP: Vl2 API active virtual address 10.2.1.20 not found

004349: 20w6d: HSRP: Vl2 API active virtual address 10.2.1.85 not found

004350: 20w6d: HSRP: Vl2 API active virtual address 10.2.1.31 not found

004351: 20w6d: HSRP: Vl2 API active virtual address 10.2.1.252 not found

004352: 20w6d: HSRP: Vl199 API active virtual address 192.168.3.19 not found

004353: 20w6d: HSRP: Vl199 API active virtual address 192.168.3.19 not found

004354: 20w6d: HSRP: Vl199 API active virtual address 192.168.3.17 not found

004355: 20w6d: HSRP: Vl199 API active virtual address 192.168.3.17 not found

004356: 20w6d: HSRP: Vl192 API active virtual address 10.192.1.20 not found

004357: 20w6d: HSRP: Vl200 API active virtual address 192.168.2.252 found

004358: 20w6d: HSRP: Vl200 API active virtual address 192.168.2.252 found

004359: 20w6d: HSRP: Vl195 API active virtual address 10.195.1.16 not found

004360: 20w6d: HSRP: Vl195 API active virtual address 10.195.1.4 not found

004361: 20w6d: HSRP: Vl2 API active virtual address 10.2.1.36 not found

004362: 20w6d: HSRP: Vl2 API active virtual address 10.2.1.252 not found

004363: 20w6d: HSRP: Vl2 API active virtual address 10.2.1.31 not found

004364: 20w6d: HSRP: Vl2 API active virtual address 10.2.1.252 not found

004365: 20w6d: HSRP: Vl186 API active virtual address 10.186.1.24 not found

Edison Ortiz · ‎09-28-2006

Let's see your ACL 102 and 104

Anand Narayana · ‎09-28-2006

Hi Edison,

this is my access-list for 102 & 104

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 104 permit ip 10.2.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Here i juz permitted the vlan 199 which means the other vlan's are not permitted, eg. vlan 201 is not permitted.

jackyoung · ‎09-28-2006

Could you please try to remove the first line of each ACL ? However, the ACL looks fine. Can you ping from one switch to another switch via LAN ? What is the physical connection / media between two switches (trunk or another switch) ?

If two switch can ping to each other, it should be no problem. Just try to remove the ip access-group in / out for test. If it works, fine tune the ACL as suggested and test again.

Hope this helps.

Anand Narayana · ‎09-29-2006

Hi Jack,

actually even i felt the same as edison told in his posint, since i can't do that in the live network, i also made a test setup between 2 3750's it worked fine, but only after entering the ACL commandz, the behavior changez, so does it mean that HSRP behaviour will change if the ACL is applied on the particular interface, like what i am facing right now?

jackyoung · ‎09-29-2006

It looks like the ACL will block the HSRP hello between two routers. So I suggested to modify it. I understood you may not change it during live network but it is worth to test it by arrange a maintenance window.

Or try to test the ACL w/ my suggestion, i.e. w/o first line in your 3750 lab test to verify which ACL cause the problem then simply apply the fix to live network in maintenance window.

Hope this helps.

royalblues · ‎09-29-2006

Hi Anand,

This may sound a bit crazy but can you try adding the following entry in your access-list

access-list 102 permit ip 192.168.2.0 0.0.0.255 host 224.0.0.2

access-list 104 permit ip 192.168.2.0 0.0.0.255 host 224.0.0.2

This is the multicast address the HSRP packets are sent across and the switches use their source address as the source. This could be blocking in your access-list.

just give it a try

HTH

Please rate useful posts

Narayan

royalblues · ‎09-29-2006

Hey anand,

Just got this from the cisco site. Maybe this is the problem your are facing.

Q. HSRP stops working when an Access Control List (ACL) is applied. How can I permit HSRP through an ACL?

A. HSRP hello packets are sent to multicast address 224.0.0.2 using UDP port 1985. Whenever an ACL is applied to an HSRP interface, ensure that packets destined to 224.0.0.2 on UDP port 1985 are permitted.

HTH

Please rate useful posts

Narayan

Anand Narayana · ‎09-29-2006

Hi Subramani,

i can accept HSRP works on UDP, so before testing it on live, i will make a lab test with my 2 3750's. so i will rate ur post now.

u have specified access-list as

access-list 102 permit ip 192.168.2.0 0.0.0.255 host 224.0.0.2

access-list 104 permit ip 192.168.2.0 0.0.0.255 host 224.0.0.2

but i think it should reverse in 104 like this isn't?

access-list 104 permit ip host 224.0.0.2 192.168.2.0 0.0.0.255

Anand Narayana · ‎09-30-2006

Hi Subramani,

Thankz a lot it worked fine with my live switch. Also i would like to thanks Edison in this regd.

i issued

access-list 102 permit 192.168.2.0 0.0.0.255 host 224.0.0.2

access-list 104 permit ip host 224.0.0.2 192.168.2.0 0.0.0.255

it worked fine

royalblues · ‎09-30-2006

Anand,

Good to hear that it solved the case.

Can you change the status as resolved as it will help others.

Narayan

Anand Narayana · ‎09-30-2006

Sure Subramani,

this is the 3rd standby

Vlan200 - Group 200

State is Listen

3 state changes, last state change 03:57:26

Virtual IP address is 192.168.2.252

Active virtual MAC address is 0000.0c07.acc8

Local virtual MAC address is 0000.0c07.acc8 (v1 default)

Hello time 5 sec, hold time 15 sec

Preemption enabled

Active router is 192.168.2.253, priority 110 (expires in 14.010 sec)

Standby router is 192.168.2.254, priority 109 (expires in 13.146 sec)

Priority 108 (configured 108)

IP redundancy name is "hsrp-Vl200-200" (default)

this is 1st switch

Vlan200 - Group 200

Local state is Active, priority 110, may preempt

Hellotime 5 sec, holdtime 15 sec

Next hello sent in 2.670

Virtual IP address is 192.168.2.252 configured

Active router is local

Standby router is 192.168.2.254 expires in 12.220

Virtual mac address is 0000.0c07.acc8

4 state changes, last state change 42w1d

IP redundancy name is "hsrp-Vl200-200" (default)

this is the 2nd standby switch

Vlan200 - Group 200

Local state is Standby, priority 109, may preempt

Hellotime 5 sec, holdtime 15 sec

Next hello sent in 3.306

Virtual IP address is 192.168.2.252 configured

Active router is 192.168.2.253, priority 110 expires in 14.320

Standby router is local

28 state changes, last state change 03:58:18

IP redundancy name is "hsrp-Vl200-200" (default)