08-25-2015 02:16 PM - edited 03-05-2019 02:09 AM
I have 2 891's both with VPN tunnels up, when I pull the primary 891's WAN int G0 it looks like it tries to fail over attached is the configuration of router-1 also is the message I am getting when it try to failover.
router 1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rochester-RT1-891
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5
!
aaa new-model
!
!
aaa group server radius RADIUS-GRP
server 172.16.x.x auth-port 1645 acct-port 1646
!aaa authentication login vtylogin group RADIUS-GRP local
!
!
!
!
!
aaa session-id common
!
!
!
!
ip source-route
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name dunbararm.net
ip name-server 172.16.x.x
ip name-server 172.16.x.x
login block-for 1 attempts 5 within 60
login delay 1
login on-failure log
login on-success log
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn
!
!
username netsupport password 7
!
ip ssh authentication-retries 2
ip ssh version 2
rack 1 interface GigabitEthernet0 line-protocol
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key R%TGB&UJ address 38.x.x.x
!
!
crypto ipsec transform-set BO-AES esp-aes 256 esp-sha-hmac
!
crypto map BRO-MAP 10 ipsec-isakmp
set peer 38.x.x.x
set transform-set BO-AES
set pfs group1
match address 101
!
!
!
!
!
interface FastEthernet0
no snmp trap link-status
spanning-tree portfast
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
interface FastEthernet8
ip address 172.16.x.x 255.255.255.0
duplex auto
speed auto
standby 0 ip 172.16.x.x
standby 0 priority 110
standby 0 preempt
standby 0 track 1 decrement 10
!
!
interface GigabitEthernet0
description TWC BB
ip address 108.x.x.x 255.255.255.0
duplex auto
speed auto
arp timeout 300
crypto map BRO-MAP
!
!
interface Vlan1
description Inside Managment
no ip address
ip tcp adjust-mss 1452
arp timeout 300
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip default-gateway 172.16.x.x
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 108.x.x.x
ip route 172.16.x.x 255.255.255.0 172.16.x.x
!
!
logging facility syslog
logging 172.16.110.21
access-list 99 permit 172.16.x.x 0.0.0.255
access-list 101 permit ip 172.16.x.x 0.0.0.255 any
access-list 101 permit ip 172.16.x.x 0.0.255.255 any
access-list 101 permit icmp any any
no cdp run
!
!
!
!
snmp-server community xxxx RO 25
snmp-server community xxxx RW 25
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server host 172.16.xx trap@me
snmp-server host 172.16.xx trap@me
!
radius-server host 172.16.x.x auth-port 1645 acct-port 1646 key 7
radius-server host 172.16.x.x auth-port 1645 acct-port 1646 key 7
radius-server deadtime 2
control-plane
!
!
banner login ^CCC
**********************************************************************
* Access to this device is restricted to authorized personnel only *
* If you do not have proper authorization disconnect immediately *
**********************************************************************
^C
banner motd ^CCC
**********************************************************************
* Access to this device is restricted to authorized personnel only *
* If you do not have proper authorization disconnect immediately *
**********************************************************************
^C
!
line con 0
exec-timeout 0 0
password 7 xxxx
line 1
modem InOut
stopbits 1
--More-- speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
login authentication vtylogin
transport preferred ssh
transport input ssh
line vty 5 15
login authentication vtylogin
transport input ssh
!
scheduler max-task-time 5000
end
error on router 2 when failover
Aug 25 21:11:55.626: HSRP: Fa8 Grp 0 Hello out 172.16.150.253 Active pri 105 vIP 172.16.150.254
*Aug 25 21:11:58.318: HSRP: Fa8 Grp 0 Hello out 172.16.150.253 Active pri 105 vIP 172.16.150.254
*Aug 25 21:11:59.150: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.16.1.42:1645,1646 is not responding.
*Aug 25 21:11:59.150: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.16.1.42:1645,1646 is being marked alive.
*Aug 25 21:12:00.818: HSRP: Fa8 Grp 0 Hello out 172.16.150.253 Active pri 105 vIP 172.16.150.254
*Aug 25 21:12:01.050: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 61.153.144.5] [localport: 22] [Reason: Login Authentication Failed] at 21:12:01 UTC Tue Aug 25 2015
*Aug 25 21:12:03.250: HSRP: Fa8 Grp 0 Hello out 172.16.150.253 Active pri 105 vIP 172.16.150.254
*Aug 25 21:12:05.826: HSRP: Fa8 Grp 0 Hello out 172.16.150.253 Active pri 105 vIP 172.16.150.254
*Aug 25 21:12:08.602: HSRP: Fa8 Grp 0 Hello out 172.16.150.253 Active pri 105 vIP 172.16.150.254
*Aug 25 21:12:09.410: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 61.153.144.5] [localport: 22] [Reason: Login Authentication Failed] at 21:12:09 UTC Tue Aug 25 2015
*Aug 25 21:12:11.338: HSRP: Fa8 Grp 0 Hello out 172.16.150.253 Active pri 105 vIP 172.16.150.254
*Aug 25 21:12:13.834: HSRP: Fa8 Grp 0 Hello out 172.16.150.253 Active pri 105 vIP 172.16.150.254
*Aug 25 21:12:16.478: HSRP: Fa8 Grp 0 Hello out 172.16.150.253 Active pri 105 vIP 172.16.150.254
*Aug 25 21:12:17.634: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.16.1.43:1645,1646 is not responding.
*Aug 25 21:12:17.638: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.16.1.43:1645,1646 is being marked alive.
Rochester-RT2-891#sh standby all
FastEthernet8 - Group 0
State is Active
17 state changes, last state change 01:10:42
Virtual IP address is 172.16.150.254
Active virtual MAC address is 0000.0c07.ac00
Local virtual MAC address is 0000.0c07.ac00 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.400 secs
Preemption enabled, delay min 5 secs
Active router is local
Standby router is unknown
Priority 105 (configured 105)
Track interface GigabitEthernet0 state Up decrement 10
Group name is "hsrp-Fa8-0" (default)
interface FastEthernet8
ip address 172.16.150.253 255.255.255.0
no ip redirects
no ip unreachables
duplex auto
speed auto
standby 0 ip 172.16.150.254
standby 0 priority 105
standby 0 preempt delay minimum 5
standby 0 track 1 decrement 10
!
end
08-25-2015 04:24 PM
I don't see the other side, so I'm making assumptions here. The problem seems to be this. The default priority is 100 for hsrp. The interface that's doing the tracking is configured for 110 priority, but you're only decrementing by 10. If you change the decrement to 20, I have a feeling that you'll fail over correctly.
interface FastEthernet8
ip address 172.16.x.x 255.255.255.0
duplex auto
speed auto
standby 0 ip 172.16.x.x
standby 0 priority 110
standby 0 preempt
standby 0 track 1 decrement 20
** Just to add if your priority on the other router is 105, the above decrement at 10 should work fine....
HTH,
John
08-27-2015 08:43 AM
He has posted R2 config at the bottom and the HSRP priority is 105 so the priority numbers are not the problem.
Mark's comments are correct - the two routers can't see each other so they both assume they are the HSRP master. When you pull the G0/0 interface on R1 then R2 does nothing as it receives no notification and continues assuming it is the HSRP master.
We would need to understand the link between these two routers on the LAN side to understand why they can't see each other - in my experience it is usually a VLAN issue or HSRP group number mismatch (though this looks OK here as they are both in group 0)
08-27-2015 08:11 AM
Your standby router is unknown so it wont failover ---Standby router is unknown
It should be something like this ---Standby router is 172.21.237.253, priority 105 (expires in 8.188 sec)
There is an underlying issue here whether its not cabled correctly or your blocking hsrp multicast on an acl and it cant communicate with far side to form hsrp relationship, check cabling , stp and check your vtp is the same between devices and acls are not blocking
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide