Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
15
Helpful
10
Replies

HSRP 5 Statechange.

PZu
Level 1
Level 1

‎04-01-2021 03:15 AM

Hi there!

I know that there are already several threads on a similar topic, but I can't find a solution. For some time we observe problems with our routeres:

 

192.168.18.252 483563: 483558: Mar 29 00:02:32.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Active -> Speak
192.168.18.252 483564: 483559: Mar 29 00:02:35.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Speak -> Standby
192.168.18.252 483565: 483560: Mar 29 00:02:38.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Standby -> Active
192.168.18.252 483566: 483561: Mar 29 00:02:44.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Active -> Speak
192.168.18.252 483567: 483562: Mar 29 00:02:47.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Speak -> Standby
192.168.18.252 483568: 483563: Mar 29 00:02:50.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Standby -> Active

 

Here is configuration both of them:

ROU01:

!interface GigabitEthernet0/0
interface Vlan1
description $FW_OUTSIDE$
ip address 10.59.19.246 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect pubinspect out
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
standby version 2
standby 34 name net10.59.19.247
standby 34 ip 10.59.19.247
standby 34 timers 1 3
standby 34 priority 105
standby 34 preempt delay minimum 60
standby 34 authentication md5 key-string sec10.59.19.247

 

ROU02:

!interface GigabitEthernet0/0
interface Vlan1
description $FW_OUTSIDE$
ip address 10.59.19.245 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect pubinspect out
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
standby version 2
standby 34 name net10.59.19.247
standby 34 ip 10.59.19.247
standby 34 timers 1 3
standby 34 preempt
standby 34 authentication md5 key-string sec10.59.19.247

 

Both routers, are connected to L2 switches in subnet 10.59.19.XXX

 

Labels:
0 Helpful
10 Replies 10

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-01-2021 03:40 AM

Hello PZu,

please provide configuration of applied ACL 101

 

also timers are aggressive (low) if you go back to defualt values 3 and 10 seconds you can be able to solve.

 

Check also stability of STP on L2 switch with

 

show spanning-tree vlan X detail

 

look for topology change.

 

Hope to help

Giuseppe

 

PZu
Level 1
Level 1
In response to Giuseppe Larosa

‎04-01-2021 05:41 AM

Hello Giuseppe,

Thanks for advice and fast reply. I will check this solution after the weekend because now I work remotely and don't have access to the company network.

 

Here is ACL 101:

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 80

access-list 101 permit udp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 6142

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 111

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 135

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 10014

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 20125

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.2 eq 111

access-list 101 permit udp 10.59.128.32 0.0.0.31 host 10.59.19.2 eq 5093

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.6 eq 111

access-list 101 permit udp 10.59.128.32 0.0.0.31 host 10.59.19.6 eq 5093

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 80

access-list 101 permit udp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 6142

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 111

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 135

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 10014

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 20125

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.2 eq 111

access-list 101 permit udp 10.59.128.64 0.0.0.31 host 10.59.19.2 eq 5093

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.6 eq 111

access-list 101 permit udp 10.59.128.64 0.0.0.31 host 10.59.19.6 eq 5093

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 eq 80

access-list 101 permit udp host 10.59.19.66 host 10.59.19.1 eq 6142

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 eq 111

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 eq 135

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 eq 10014

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 eq 20125

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.2 eq 111

access-list 101 permit udp host 10.59.19.66 host 10.59.19.2 eq 5093

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.6 eq 111

access-list 101 permit udp host 10.59.19.66 host 10.59.19.6 eq 5093

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 eq 80

access-list 101 permit udp host 10.59.19.82 host 10.59.19.1 eq 6142

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 eq 111

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 eq 135

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 eq 10014

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 eq 20125

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.2 eq 111

access-list 101 permit udp host 10.59.19.82 host 10.59.19.2 eq 5093

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.6 eq 111

access-list 101 permit udp host 10.59.19.82 host 10.59.19.6 eq 5093

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 eq 80

access-list 101 permit udp host 10.59.19.83 host 10.59.19.1 eq 6142

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 eq 111

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 eq 135

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 eq 10014

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 eq 20125

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.2 eq 111

access-list 101 permit udp host 10.59.19.83 host 10.59.19.2 eq 5093

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.6 eq 111

access-list 101 permit udp host 10.59.19.83 host 10.59.19.6 eq 5093

access-list 101 permit tcp host 10.160.0.37 host 10.59.19.1 eq 445

access-list 101 permit udp host 10.160.0.37 host 10.59.19.1 eq 445

access-list 101 permit tcp host 10.160.0.37 host 10.59.19.1 range 135 140

access-list 101 permit udp host 10.160.0.37 host 10.59.19.1 range 135 140

access-list 101 permit tcp host 10.160.0.37 host 192.168.18.48 eq 445

access-list 101 permit udp host 10.160.0.37 host 192.168.18.48 eq 445

access-list 101 permit tcp host 10.160.0.37 host 192.168.18.48 range 135 140

access-list 101 permit udp host 10.160.0.37 host 192.168.18.48 range 135 140

access-list 101 permit tcp host 10.160.0.38 host 10.59.19.1 eq 445

access-list 101 permit udp host 10.160.0.38 host 10.59.19.1 eq 445

access-list 101 permit tcp host 10.160.0.38 host 10.59.19.1 range 135 140

access-list 101 permit udp host 10.160.0.38 host 10.59.19.1 range 135 140

access-list 101 permit tcp host 10.160.0.38 host 192.168.18.48 eq 445

access-list 101 permit udp host 10.160.0.38 host 192.168.18.48 eq 445

access-list 101 permit tcp host 10.160.0.38 host 192.168.18.48 range 135 140

access-list 101 permit udp host 10.160.0.38 host 192.168.18.48 range 135 140

access-list 101 permit tcp host 10.59.19.151 host 192.168.18.31 eq 135

access-list 101 permit tcp host 10.59.19.151 host 192.168.18.31 range 5100 5134

access-list 101 permit tcp host 10.59.19.151 host 192.168.18.33 eq 135

access-list 101 permit tcp host 10.59.19.151 host 192.168.18.33 range 5100 5134

access-list 101 permit tcp host 10.59.19.4 host 192.168.18.31 eq 135

access-list 101 permit tcp host 10.59.19.4 host 192.168.18.31 range 5100 5134

access-list 101 permit tcp host 10.59.19.4 host 192.168.18.33 eq 135

access-list 101 permit tcp host 10.59.19.4 host 192.168.18.33 range 5100 5134

access-list 101 permit tcp host 10.59.19.132 host 192.168.18.31 eq 135

access-list 101 permit tcp host 10.59.19.132 host 192.168.18.31 range 5100 5134

access-list 101 permit tcp host 10.59.19.132 host 192.168.18.33 eq 135

access-list 101 permit tcp host 10.59.19.132 host 192.168.18.33 range 5100 5134

access-list 101 permit tcp host 10.59.19.163 host 192.168.18.31 eq 135

access-list 101 permit tcp host 10.59.19.163 host 192.168.18.31 range 5100 5134

access-list 101 permit tcp host 10.59.19.163 host 192.168.18.33 eq 135

access-list 101 permit tcp host 10.59.19.163 host 192.168.18.33 range 5100 5134

access-list 101 permit tcp host 10.59.19.182 host 192.168.18.31 eq 135

access-list 101 permit tcp host 10.59.19.182 host 192.168.18.31 range 5100 5134

access-list 101 permit tcp host 10.59.19.182 host 192.168.18.33 eq 135

access-list 101 permit tcp host 10.59.19.182 host 192.168.18.33 range 5100 5134

!access-list 101 permit udp host 172.28.107.11 host 10.57.18.9 eq 43000

!access-list 101 permit udp host 172.28.107.11 host 10.57.18.9 eq 43200

access-list 101 deny ip host 10.59.19.37 any

access-list 101 deny ip host 10.59.19.38 any

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.2 range 11000 11003

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.6 range 11000 11003

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 80

access-list 101 permit udp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 6142

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 111

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 135

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 10014

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 20125

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.2 eq 111

access-list 101 permit udp 10.59.19.32 0.0.0.7 host 10.59.19.2 eq 5093

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.6 eq 111

access-list 101 permit udp 10.59.19.32 0.0.0.7 host 10.59.19.6 eq 5093

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 445

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 5900

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 3389

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.2 eq 5900

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.2 eq 3389

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.3 eq 5900

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.3 eq 3389

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.6 eq 5900

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.6 eq 3389

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.7 eq 5900

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.7 eq 3389

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.8 eq 445

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 10.59.19.0 0.0.0.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.15.255 any

access-list 101 deny   ip 192.168.18.0 0.0.0.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any

 

Best regards,

PZu

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to PZu

‎04-01-2021 05:53 AM

Hello PZu,

I cannot see in your ACL 101 applied inbound a line that permits HSRP hello messages

 

see

https://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/10583-62.html#anc10

 

>> Routers that run HSRP communicate HSRP information between each other through HSRP hello packets. These packets are sent to the destination IP multicast address 224.0.0.2 on User Datagram Protocol (UDP) port 1985. IP multicast address 224.0.0.2 

 

This is for HSRPv1

 

Hope to help

Giuseppe

 

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Giuseppe Larosa

‎04-01-2021 06:53 AM

Hello

for HSRPv2

 

HSRP version 2 advertises and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases.

 

HSRP version 2 uses the new IP multicast address 224.0.0.102

 

https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-sy/fhp-15-sy-book/fhp-hsrp-v2.html.xml

 

Hope to help

Giuseppe

0 Helpful

PZu
Level 1
Level 1
In response to Giuseppe Larosa

‎04-02-2021 01:15 AM

Hello,

Sorry, when I copied ACL yesterday, I didn't mark all entries.....

 

access-list 101 remark HSRP neighbour messaging

access-list 101 permit ip 10.59.19.0 0.0.0.255 host 224.0.0.102

 

Once agian thanks for Your sugestions about timers, I'll try it after weekend.

 

Regards,

PZu

0 Helpful

Georg Pauwen
VIP
VIP

‎04-02-2021 11:14 AM

Hello,

 

on a side note, I remember a case from the past where 'ip verify unicast reverse-path' caused the HSRP to bounce, you might want to try and disable that...

0 Helpful

paul driver
VIP
VIP

‎04-03-2021 09:02 AM - edited ‎04-03-2021 09:08 AM

Hello
Just like to add it also looks like you have CBAC (context based access control) enabled on the hsrp interfaces which will probably require amending or removed 

int x/x
ip inspect pubinspect out

if applicable you can also run debug on hsrp and post the results

debug standby errors
debug standby events 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

PZu
Level 1
Level 1

‎04-19-2021 02:14 AM

Hello,

The problem with not working HSRP has been resloved. It wasn't a problem with configuration routers or switches, but with the old devices connecting one of the routers to the L2 switch - media converter ETH2FO (Allied Telesyn), after replacing these devices with other one's, the problem disappeared. Thanks All for help.

 

Regards,

PZu

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to PZu

‎04-19-2021 05:14 AM

Hello Pzu,

nice to hear that you have solved your issue

Thanks for your feedback

 

Best Regards

Giuseppe

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to PZu

‎04-19-2021 08:22 AM

See if you can mark your "solution found" posting as "solved".

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card