cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
608
Views
0
Helpful
3
Replies

891 HSRP not failing Over

jlwomeld
Beginner
Beginner

I have 2 891's both with VPN tunnels up, when I pull the primary 891's WAN int G0 it looks like it tries to fail over attached is the configuration of router-1 also is the message I am getting when it try to failover.

 

router 1


service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rochester-RT1-891
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 
!
aaa new-model
!
!
aaa group server radius RADIUS-GRP
 server 172.16.x.x auth-port 1645 acct-port 1646
!aaa authentication login vtylogin group RADIUS-GRP local
!
!
!
!
!
aaa session-id common
!
!
!
!

ip source-route
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name dunbararm.net
ip name-server 172.16.x.x
ip name-server 172.16.x.x
login block-for 1 attempts 5 within 60
login delay 1
login on-failure log
login on-success log
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn 
!
!

username netsupport password 7 
!
ip ssh authentication-retries 2
ip ssh version 2
rack 1 interface GigabitEthernet0 line-protocol

!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key R%TGB&UJ address 38.x.x.x
!
!
crypto ipsec transform-set BO-AES esp-aes 256 esp-sha-hmac 
!
crypto map BRO-MAP 10 ipsec-isakmp 
 set peer 38.x.x.x
 set transform-set BO-AES 
 set pfs group1
 match address 101
!
!
!
!
!
interface FastEthernet0
no snmp trap link-status
 spanning-tree portfast
 !
!
interface FastEthernet1
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 !
!
interface FastEthernet5
 !
!
interface FastEthernet6
 !
!
interface FastEthernet7

!
interface FastEthernet8
 ip address 172.16.x.x 255.255.255.0
 duplex auto
 speed auto
 standby 0 ip 172.16.x.x
 standby 0 priority 110
 standby 0 preempt
 standby 0 track 1 decrement 10
 !
!
interface GigabitEthernet0
 description TWC BB
 ip address 108.x.x.x 255.255.255.0
 duplex auto
 speed auto
 arp timeout 300
 crypto map BRO-MAP
 !
!
interface Vlan1
 description Inside Managment 
 no ip address
 ip tcp adjust-mss 1452
 arp timeout 300
 !
!
interface Async1
 no ip address
 encapsulation slip
 !
!
ip default-gateway 172.16.x.x
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 108.x.x.x
ip route 172.16.x.x 255.255.255.0 172.16.x.x
!
!
logging facility syslog
logging 172.16.110.21
access-list 99 permit 172.16.x.x 0.0.0.255
access-list 101 permit ip 172.16.x.x 0.0.0.255 any
access-list 101 permit ip 172.16.x.x 0.0.255.255 any
access-list 101 permit icmp any any
no cdp run

!
!
!
!
snmp-server community xxxx RO 25
snmp-server community xxxx RW 25
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server host 172.16.xx trap@me 
snmp-server host 172.16.xx trap@me 
!
radius-server host 172.16.x.x auth-port 1645 acct-port 1646 key 7 
radius-server host 172.16.x.x auth-port 1645 acct-port 1646 key 7 
radius-server deadtime 2

control-plane
 !
!
banner login ^CCC
**********************************************************************
*  Access to this device is restricted to authorized personnel only  *
*  If you do not have proper authorization disconnect immediately    *
**********************************************************************
^C
banner motd ^CCC
**********************************************************************
*  Access to this device is restricted to authorized personnel only  *
*  If you do not have proper authorization disconnect immediately    *
**********************************************************************
^C
!
line con 0
 exec-timeout 0 0
 password 7 xxxx
line 1
 modem InOut
 stopbits 1
 --More--          speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login authentication vtylogin
 transport preferred ssh
 transport input ssh
line vty 5 15
 login authentication vtylogin
 transport input ssh
!
scheduler max-task-time 5000
end

error on router 2 when failover

 

 

 

Aug 25 21:11:55.626: HSRP: Fa8 Grp 0 Hello  out 172.16.150.253 Active  pri 105 vIP 172.16.150.254
*Aug 25 21:11:58.318: HSRP: Fa8 Grp 0 Hello  out 172.16.150.253 Active  pri 105 vIP 172.16.150.254
*Aug 25 21:11:59.150: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.16.1.42:1645,1646 is not responding.
*Aug 25 21:11:59.150: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.16.1.42:1645,1646 is being marked alive.
*Aug 25 21:12:00.818: HSRP: Fa8 Grp 0 Hello  out 172.16.150.253 Active  pri 105 vIP 172.16.150.254
*Aug 25 21:12:01.050: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 61.153.144.5] [localport: 22] [Reason: Login Authentication Failed] at 21:12:01 UTC Tue Aug 25 2015
*Aug 25 21:12:03.250: HSRP: Fa8 Grp 0 Hello  out 172.16.150.253 Active  pri 105 vIP 172.16.150.254
*Aug 25 21:12:05.826: HSRP: Fa8 Grp 0 Hello  out 172.16.150.253 Active  pri 105 vIP 172.16.150.254
*Aug 25 21:12:08.602: HSRP: Fa8 Grp 0 Hello  out 172.16.150.253 Active  pri 105 vIP 172.16.150.254
*Aug 25 21:12:09.410: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 61.153.144.5] [localport: 22] [Reason: Login Authentication Failed] at 21:12:09 UTC Tue Aug 25 2015
*Aug 25 21:12:11.338: HSRP: Fa8 Grp 0 Hello  out 172.16.150.253 Active  pri 105 vIP 172.16.150.254
*Aug 25 21:12:13.834: HSRP: Fa8 Grp 0 Hello  out 172.16.150.253 Active  pri 105 vIP 172.16.150.254
*Aug 25 21:12:16.478: HSRP: Fa8 Grp 0 Hello  out 172.16.150.253 Active  pri 105 vIP 172.16.150.254
*Aug 25 21:12:17.634: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.16.1.43:1645,1646 is not responding.
*Aug 25 21:12:17.638: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.16.1.43:1645,1646 is being marked alive.
Rochester-RT2-891#sh standby all
FastEthernet8 - Group 0
  State is Active
    17 state changes, last state change 01:10:42
  Virtual IP address is 172.16.150.254
  Active virtual MAC address is 0000.0c07.ac00
    Local virtual MAC address is 0000.0c07.ac00 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.400 secs
  Preemption enabled, delay min 5 secs
  Active router is local
  Standby router is unknown
  Priority 105 (configured 105)
    Track interface GigabitEthernet0 state Up decrement 10
  Group name is "hsrp-Fa8-0" (default)

interface FastEthernet8
 ip address 172.16.150.253 255.255.255.0
 no ip redirects
 no ip unreachables
 duplex auto
 speed auto
 standby 0 ip 172.16.150.254
 standby 0 priority 105
 standby 0 preempt delay minimum 5
 standby 0 track 1 decrement 10
 !
end

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3 REPLIES 3

John Blakley
Advisor
Advisor

I don't see the other side, so I'm making assumptions here. The problem seems to be this. The default priority is 100 for hsrp. The interface that's doing the tracking is configured for 110 priority, but you're only decrementing by 10. If you change the decrement to 20, I have a feeling that you'll fail over correctly.

interface FastEthernet8
 ip address 172.16.x.x 255.255.255.0
 duplex auto
 speed auto
 standby 0 ip 172.16.x.x
 standby 0 priority 110
 standby 0 preempt
 standby 0 track 1 decrement 20

 

** Just to add if your priority on the other router is 105, the above decrement at 10 should work fine....

HTH,

John

HTH, John *** Please rate all useful posts ***

He has posted R2 config at the bottom and the HSRP priority is 105 so the priority numbers are not the problem.

Mark's comments are correct - the two routers can't see each other so they both assume they are the HSRP master. When you pull the G0/0 interface on R1 then R2 does nothing as it receives no notification and continues assuming it is the HSRP master. 

We would need to understand the link between these two routers on the LAN side to understand why they can't see each other - in my experience it is usually a VLAN issue or HSRP group number mismatch (though this looks OK here as they are both in group 0)

Mark Malone
Mentor
Mentor

Your standby router is unknown so it wont failover ---Standby router is unknown

It should be something like this ---Standby router is 172.21.237.253, priority 105 (expires in 8.188 sec)
 

There is an underlying issue here whether its not cabled correctly or your blocking hsrp multicast on an acl and it cant communicate with far side to form hsrp relationship, check cabling , stp and check your vtp is the same between devices and acls are not blocking

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: