HSRP 5 Statechange.

PZu · ‎04-01-2021

Hi there!

I know that there are already several threads on a similar topic, but I can't find a solution. For some time we observe problems with our routeres:

192.168.18.252 483563: 483558: Mar 29 00:02:32.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Active -> Speak
192.168.18.252 483564: 483559: Mar 29 00:02:35.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Speak -> Standby
192.168.18.252 483565: 483560: Mar 29 00:02:38.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Standby -> Active
192.168.18.252 483566: 483561: Mar 29 00:02:44.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Active -> Speak
192.168.18.252 483567: 483562: Mar 29 00:02:47.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Speak -> Standby
192.168.18.252 483568: 483563: Mar 29 00:02:50.053 GMT: %HSRP-5-STATECHANGE: Vlan1 Grp 34 state Standby -> Active

Here is configuration both of them:

ROU01:

!interface GigabitEthernet0/0
interface Vlan1
description $FW_OUTSIDE$
ip address 10.59.19.246 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect pubinspect out
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
standby version 2
standby 34 name net10.59.19.247
standby 34 ip 10.59.19.247
standby 34 timers 1 3
standby 34 priority 105
standby 34 preempt delay minimum 60
standby 34 authentication md5 key-string sec10.59.19.247

ROU02:

!interface GigabitEthernet0/0
interface Vlan1
description $FW_OUTSIDE$
ip address 10.59.19.245 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect pubinspect out
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
standby version 2
standby 34 name net10.59.19.247
standby 34 ip 10.59.19.247
standby 34 timers 1 3
standby 34 preempt
standby 34 authentication md5 key-string sec10.59.19.247

Both routers, are connected to L2 switches in subnet 10.59.19.XXX

Giuseppe Larosa · ‎04-01-2021

Hello PZu,

please provide configuration of applied ACL 101

also timers are aggressive (low) if you go back to defualt values 3 and 10 seconds you can be able to solve.

Check also stability of STP on L2 switch with

show spanning-tree vlan X detail

look for topology change.

Hope to help

Giuseppe

PZu · ‎04-01-2021

Hello Giuseppe,

Thanks for advice and fast reply. I will check this solution after the weekend because now I work remotely and don't have access to the company network.

Here is ACL 101:

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 80

access-list 101 permit udp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 6142

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 111

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 135

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 10014

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 eq 20125

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.2 eq 111

access-list 101 permit udp 10.59.128.32 0.0.0.31 host 10.59.19.2 eq 5093

access-list 101 permit tcp 10.59.128.32 0.0.0.31 host 10.59.19.6 eq 111

access-list 101 permit udp 10.59.128.32 0.0.0.31 host 10.59.19.6 eq 5093

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 80

access-list 101 permit udp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 6142

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 111

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 135

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 10014

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 eq 20125

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.2 eq 111

access-list 101 permit udp 10.59.128.64 0.0.0.31 host 10.59.19.2 eq 5093

access-list 101 permit tcp 10.59.128.64 0.0.0.31 host 10.59.19.6 eq 111

access-list 101 permit udp 10.59.128.64 0.0.0.31 host 10.59.19.6 eq 5093

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 eq 80

access-list 101 permit udp host 10.59.19.66 host 10.59.19.1 eq 6142

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 eq 111

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 eq 135

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 eq 10014

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 eq 20125

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.2 eq 111

access-list 101 permit udp host 10.59.19.66 host 10.59.19.2 eq 5093

access-list 101 permit tcp host 10.59.19.66 host 10.59.19.6 eq 111

access-list 101 permit udp host 10.59.19.66 host 10.59.19.6 eq 5093

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 eq 80

access-list 101 permit udp host 10.59.19.82 host 10.59.19.1 eq 6142

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 eq 111

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 eq 135

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 eq 10014

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 eq 20125

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.2 eq 111

access-list 101 permit udp host 10.59.19.82 host 10.59.19.2 eq 5093

access-list 101 permit tcp host 10.59.19.82 host 10.59.19.6 eq 111

access-list 101 permit udp host 10.59.19.82 host 10.59.19.6 eq 5093

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 eq 80

access-list 101 permit udp host 10.59.19.83 host 10.59.19.1 eq 6142

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 eq 111

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 eq 135

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 eq 10014

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 eq 20125

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.2 eq 111

access-list 101 permit udp host 10.59.19.83 host 10.59.19.2 eq 5093

access-list 101 permit tcp host 10.59.19.83 host 10.59.19.6 eq 111

access-list 101 permit udp host 10.59.19.83 host 10.59.19.6 eq 5093

access-list 101 permit tcp host 10.160.0.37 host 10.59.19.1 eq 445

access-list 101 permit udp host 10.160.0.37 host 10.59.19.1 eq 445

access-list 101 permit tcp host 10.160.0.37 host 10.59.19.1 range 135 140

access-list 101 permit udp host 10.160.0.37 host 10.59.19.1 range 135 140

access-list 101 permit tcp host 10.160.0.37 host 192.168.18.48 eq 445

access-list 101 permit udp host 10.160.0.37 host 192.168.18.48 eq 445

access-list 101 permit tcp host 10.160.0.37 host 192.168.18.48 range 135 140

access-list 101 permit udp host 10.160.0.37 host 192.168.18.48 range 135 140

access-list 101 permit tcp host 10.160.0.38 host 10.59.19.1 eq 445

access-list 101 permit udp host 10.160.0.38 host 10.59.19.1 eq 445

access-list 101 permit tcp host 10.160.0.38 host 10.59.19.1 range 135 140

access-list 101 permit udp host 10.160.0.38 host 10.59.19.1 range 135 140

access-list 101 permit tcp host 10.160.0.38 host 192.168.18.48 eq 445

access-list 101 permit udp host 10.160.0.38 host 192.168.18.48 eq 445

access-list 101 permit tcp host 10.160.0.38 host 192.168.18.48 range 135 140

access-list 101 permit udp host 10.160.0.38 host 192.168.18.48 range 135 140

access-list 101 permit tcp host 10.59.19.151 host 192.168.18.31 eq 135

access-list 101 permit tcp host 10.59.19.151 host 192.168.18.31 range 5100 5134

access-list 101 permit tcp host 10.59.19.151 host 192.168.18.33 eq 135

access-list 101 permit tcp host 10.59.19.151 host 192.168.18.33 range 5100 5134

access-list 101 permit tcp host 10.59.19.4 host 192.168.18.31 eq 135

access-list 101 permit tcp host 10.59.19.4 host 192.168.18.31 range 5100 5134

access-list 101 permit tcp host 10.59.19.4 host 192.168.18.33 eq 135

access-list 101 permit tcp host 10.59.19.4 host 192.168.18.33 range 5100 5134

access-list 101 permit tcp host 10.59.19.132 host 192.168.18.31 eq 135

access-list 101 permit tcp host 10.59.19.132 host 192.168.18.31 range 5100 5134

access-list 101 permit tcp host 10.59.19.132 host 192.168.18.33 eq 135

access-list 101 permit tcp host 10.59.19.132 host 192.168.18.33 range 5100 5134

access-list 101 permit tcp host 10.59.19.163 host 192.168.18.31 eq 135

access-list 101 permit tcp host 10.59.19.163 host 192.168.18.31 range 5100 5134

access-list 101 permit tcp host 10.59.19.163 host 192.168.18.33 eq 135

access-list 101 permit tcp host 10.59.19.163 host 192.168.18.33 range 5100 5134

access-list 101 permit tcp host 10.59.19.182 host 192.168.18.31 eq 135

access-list 101 permit tcp host 10.59.19.182 host 192.168.18.31 range 5100 5134

access-list 101 permit tcp host 10.59.19.182 host 192.168.18.33 eq 135

access-list 101 permit tcp host 10.59.19.182 host 192.168.18.33 range 5100 5134

!access-list 101 permit udp host 172.28.107.11 host 10.57.18.9 eq 43000

!access-list 101 permit udp host 172.28.107.11 host 10.57.18.9 eq 43200

access-list 101 deny ip host 10.59.19.37 any

access-list 101 deny ip host 10.59.19.38 any

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.2 range 11000 11003

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.6 range 11000 11003

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 80

access-list 101 permit udp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 6142

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 111

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 135

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 range 15555 15559

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 10014

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 20125

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 range 50000 56000

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.2 eq 111

access-list 101 permit udp 10.59.19.32 0.0.0.7 host 10.59.19.2 eq 5093

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.6 eq 111

access-list 101 permit udp 10.59.19.32 0.0.0.7 host 10.59.19.6 eq 5093

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 445

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 5900

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.1 eq 3389

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.2 eq 5900

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.2 eq 3389

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.3 eq 5900

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.3 eq 3389

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.6 eq 5900

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.6 eq 3389

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.7 eq 5900

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.7 eq 3389

access-list 101 permit tcp 10.59.19.32 0.0.0.7 host 10.59.19.8 eq 445

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 10.59.19.0 0.0.0.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.15.255 any

access-list 101 deny ip 192.168.18.0 0.0.0.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any

Best regards,

PZu

Giuseppe Larosa · ‎04-01-2021

Hello PZu,

I cannot see in your ACL 101 applied inbound a line that permits HSRP hello messages

see

https://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/10583-62.html#anc10

>> Routers that run HSRP communicate HSRP information between each other through HSRP hello packets. These packets are sent to the destination IP multicast address 224.0.0.2 on User Datagram Protocol (UDP) port 1985. IP multicast address 224.0.0.2

This is for HSRPv1

Hope to help

Giuseppe

Giuseppe Larosa · ‎04-01-2021

Hello

for HSRPv2

HSRP version 2 advertises and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases.

HSRP version 2 uses the new IP multicast address 224.0.0.102

https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-sy/fhp-15-sy-book/fhp-hsrp-v2.html.xml

Hope to help

Giuseppe

PZu · ‎04-02-2021

Hello,

Sorry, when I copied ACL yesterday, I didn't mark all entries.....

access-list 101 remark HSRP neighbour messaging

access-list 101 permit ip 10.59.19.0 0.0.0.255 host 224.0.0.102

Once agian thanks for Your sugestions about timers, I'll try it after weekend.

Regards,

PZu

Georg Pauwen · ‎04-02-2021

Hello,

on a side note, I remember a case from the past where 'ip verify unicast reverse-path' caused the HSRP to bounce, you might want to try and disable that...

paul driver · ‎04-03-2021

Hello
Just like to add it also looks like you have CBAC (context based access control) enabled on the hsrp interfaces which will probably require amending or removed

int x/x
ip inspect pubinspect out

if applicable you can also run debug on hsrp and post the results

debug standby errors
debug standby events

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

PZu · ‎04-19-2021

Hello,

The problem with not working HSRP has been resloved. It wasn't a problem with configuration routers or switches, but with the old devices connecting one of the routers to the L2 switch - media converter ETH2FO (Allied Telesyn), after replacing these devices with other one's, the problem disappeared. Thanks All for help.

Regards,

PZu

Giuseppe Larosa · ‎04-19-2021

Hello Pzu,

nice to hear that you have solved your issue

Thanks for your feedback

Best Regards

Giuseppe

Joseph W. Doherty · ‎04-19-2021

See if you can mark your "solution found" posting as "solved".