Virtual mac not given in response to 'arp who-has' and other strange things

blakem · ‎08-09-2005

Hi

I have 2 Cisco 871's with HSRP configured and working fine on the outside interfaces (FE4).

I've tried to setup HSRP on the internal VLAN (VL 1), but when the host tries to ping the virtual IP address, the 'arp who-has' requests aren't answered. I created a static arp entry on the host, and then tried to ping the address, but no replies.

I can ping the individual IP addresses assigned to each VL1, and there are no ACL's denying pings to the virtual IP address.

I have noticed that when I change from 'stand use-bia' to 'no stand use-bia' (and back again) on VL1 gratuitous arps are sent and pings are replied to - until I clear the host's arp cache.

It's all very consfusing to me who's a newbie, especially as I've gone over my config more times than I'd care to admit, and still can't find any real differences between the HSRP on the VLAN, and the outside interface...

I checked the arp/ping packets using tcpdump for windows, and have included output. My IOS is (C870-ADVSECURITYK9-M) Ver. 12.3(8)YI1 (fc1), with tech version 12.3(10.3)T2.

The internal and external networks are physically separated, so same group virtual mac addresses shouldn't cause problems, although I've tried other groups with no better results.

Any help would be greatly appreciated as I have to get this working.

Here's my tcpdump output (to show I do kinda know what I'm doing)..

C:\>tcpdump -i 2 arp or icmp

tcpdump: listening on \Device\NPF_{F8EC8895-37DC-4295-A418-65E5E70D3691}

12:46:46.394739 arp who-has 172.16.200.4 tell SYNX306-1

12:46:47.894714 arp who-has 172.16.200.4 tell SYNX306-1

12:46:49.394758 arp who-has 172.16.200.4 tell SYNX306-1

12:46:50.894834 arp who-has 172.16.200.4 tell SYNX306-1

12:46:52.394757 arp who-has 172.16.200.4 tell SYNX306-1

5 packets captured

44 packets received by filter

0 packets dropped by kernel

C:\>tcpdump -i 2 arp or icmp

tcpdump: listening on \Device\NPF_{F8EC8895-37DC-4295-A418-65E5E70D3691}

12:47:25.780604 IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 64996

12:47:26.899401 IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 65252

12:47:28.399370 IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 65508

12:47:29.899379 IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 229

12:47:31.399405 IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 485

5 packets captured

26 packets received by filter

0 packets dropped by kernel

C:\>

And here's my 'show standby' on the active router:

8711#show standby

FastEthernet4 - Group 0 (version 2)

State is Standby

1 state change, last state change 00:10:28

Virtual IP address is 192.168.1.1

Active virtual MAC address is 0000.0c9f.f000

Local virtual MAC address is 0000.0c9f.f000 (v2 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 1.756 secs

Authentication text "none"

Preemption enabled

Active router is 192.168.254.249, priority 100 (expires in 8.928 sec)

Standby router is local

Priority 100 (default 100)

IP redundancy name is "synergy2" (cfgd)

Vlan1 - Group 0 (version 2)

State is Active

1 state change, last state change 00:10:32

Virtual IP address is 172.16.200.4

Active virtual MAC address is 0000.0c9f.f000

Local virtual MAC address is 0000.0c9f.f000 (v2 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.652 secs

Preemption enabled

Active router is local

Standby router is 172.16.200.3, priority 115 (expires in 7.568 sec)

Priority 120 (configured 120)

IP redundancy name is "hsrp-Vl1-0" (default)

8711#

Mark Turpin · ‎08-09-2005

Just for testing, try removing ACL 100 from Vlan1 on both of your devices.

Let me know what happens.

Thanks,

Mark Turpin

--
-Mark Turpin

blakem · ‎08-10-2005

Hi Mark

Thanks for getting back to me. I've removed ACL 100 from VLAN1, but it makes no difference.

I have noticed some improvement, VLAN1 is sending arp replies correctly now. I'm not sure why it wasn't, but it is now (I've added 'ip gratuitous-arps' to my configs).

The virtual IP address responds to pings when I use 'stand use-bia', but not when I revert to 'no stand use-bia'.

Why would VLAN1 only reply to packets sent to the burned in mac address? Seems strange as the other HSRP interface (FE4) doesn't exhibit the same behaviour??

I've attached my current config, which is not much different except for the 'ip gratuitous-arps' and a secondary virtual ip address, and tcpdump while changing between 'stand use-bia' and 'no stand use-bia':

IP 172.16.200.4 > SYNX306-1: icmp 40: echo reply seq 54611

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 54867

IP 172.16.200.4 > SYNX306-1: icmp 40: echo reply seq 54867

arp reply 172.16.200.4 is-at 00:00:0c:9f:f0:01

arp reply 172.16.200.5 is-at 00:00:0c:9f:f0:01

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 55123

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 55379

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 55635

arp reply 172.16.200.4 is-at 00:00:0c:9f:f0:01

arp reply 172.16.200.5 is-at 00:00:0c:9f:f0:01

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 55891

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 56147

and back to 'stand use-bia' again:

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 5716

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 5972

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 6228

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 6484

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 6740

arp reply 172.16.200.4 is-at 00:00:0c:9f:f0:01

arp reply 172.16.200.5 is-at 00:00:0c:9f:f0:01

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 6996

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 7252

arp reply 172.16.200.4 is-at 00:00:0c:9f:f0:01

arp reply 172.16.200.5 is-at 00:00:0c:9f:f0:01

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 7508

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 7764

arp reply 172.16.200.4 is-at 00:00:0c:9f:f0:01

arp reply 172.16.200.5 is-at 00:00:0c:9f:f0:01

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 8020

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 8276

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 8532

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 8788

arp reply 172.16.200.4 is-at 00:13:5f:68:86:84

arp reply 172.16.200.5 is-at 00:13:5f:68:86:84

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 9044

IP 172.16.200.4 > SYNX306-1: icmp 40: echo reply seq 9044

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 9300

IP 172.16.200.4 > SYNX306-1: icmp 40: echo reply seq 9300

arp reply 172.16.200.4 is-at 00:13:5f:68:86:84

arp reply 172.16.200.5 is-at 00:13:5f:68:86:84

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 9556

IP 172.16.200.4 > SYNX306-1: icmp 40: echo reply seq 9556

IP SYNX306-1 > 172.16.200.4: icmp 40: echo request seq 9812

IP 172.16.200.4 > SYNX306-1: icmp 40: echo reply seq 9812

Many thanks,

Michael

Mark Turpin · ‎08-10-2005

I'm not all too familiar with the 871 series. But HSRP is pretty straight-forward.

You shouldn't have to use standby use-bia.

Can I ask you why you have a secondary configured inside your standby group? Is it necessary?

Your config looks good, can I get a show tech off both of your routers in this HSRP group?

--
-Mark Turpin

blakem · ‎08-10-2005

Hi Mark

I just configured the secondary just in case it would make a difference. I tried to ping it, but no repsonse.

I've attached both show techs.

Many thanks,

Michael

Mark Turpin · ‎08-10-2005

Try this next, remove the secondary. The secondary option is supposed to be used when you have a corresponding secondary on the physical interface. Since Vlan1 only has one IP address configured, you don't need the other IP inside your HSRP group.

Let me know what happens after removing the secondary.

-Mark

--
-Mark Turpin

Mark Turpin · ‎08-10-2005

Oh sorry, you know I just figured it out. You're running in to a "feature" of the old 2500/4500 series where a single standby group shares the MAC address. That's why it was working when you used the standby use-bia.

Check out:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml

You're either going to have to create different groups on the interfaces, use the mac-address command (maybe), or configure use-bia.

One of those will fix you up. And I'd reevaulate that ACL 101. You will likely want to allow pings and what not to the default gateway...

-Mark

--
-Mark Turpin

blakem · ‎08-11-2005

Hi Mark

Thanks for your reply, but I have tried those things... At present I'm using the default group on FE4, and group 1 on VLAN1.

I configured a mac address for VLAN1, but that made no difference. The only thing that worked was using the 'standby use-bia' on VLAN1.

I haven't had a chance to read the whole of that link you sent me, but will do so tomorrow.. hopefully it'll give me some ideas, but I'm starting to think that possibly there's a bug with this version of the software on this router..

Regards,

Michael.

Mark Turpin · ‎08-11-2005

Yeah, exactly. The use-bia worked because it is one of the workarounds described in the document. Basically what's happening is the same MAC address is being used for both HSRP groups.

This is a bad feature, and use-bia works around it.

Looks like you have to keep use-bia! :)

-Mark

--
-Mark Turpin

blakem · ‎08-12-2005

Hi Mark

Cheers for the help, I don't know if I would have found that doc. I would probably have spent a lot more time trying to get it to work - just ending up annoyed!!

Regards,

Michael.