Hi Jon,

The problem start way before any router goes down, my hosts can not even ping their DG after setting the 2 HSRP standby groups. they ping the DG alright for like 10 seconds after configuration and then suddenly 192.168.0.254 changes to "request timed out" and only 192.168.0.238 keeps pinging. it`s like the interface stopped working - which of course is not true.

here is the show standby brief from router 1
-----------------------------------------------------------------

Router(config-if)#do sh stand b

P indicates configured to preempt.

|

Interface Grp  Pri   P    State          Active            Standby         Virtual IP

Fa0/0       1    101  P    Active         local         192.168.0.2     192.168.0.254

Fa0/0       2    99    P   Standby   192.168.0.2       local           192.168.0.238

here is the show standby brief from router 2

----------------------------------------------------------

Router(config-if)#do sh stand b

P indicates configured to preempt.

|

Interface    Grp    Pri   P      State         Active       Standby         Virtual IP

Fa0/0          1      99    P    Standby   192.168.0.1      local       192.168.0.254

Fa0/0          2     101    P   Active          local       192.168.0.1   192.168.0.238

----------------------------------------------------

as you can see - the configuration is fine, each router is active for one group and standby for the other, yet hosts that got 192.168.0.254 can not ping their respective router.

another thing: if you turn off both routers and turn them back on again - none of the routers are able to ping their DG and this is what you get from the STATECHANGE message:

-------------------

on router 1

------------------

%HSRP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby

%HSRP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

%HSRP-6-STATECHANGE: FastEthernet0/0 Grp 2 state Speak -> Standby

---------------------
on router 2

---------------------

%HSRP-6-STATECHANGE: FastEthernet0/0 Grp 2 state Speak -> Standby

%HSRP-6-STATECHANGE: FastEthernet0/0 Grp 2 state Standby -> Active

%HSRP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby

%HSRP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

%HSRP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby

that is very very wrong, but what is wrong and why is beyond me.

I have a comment about potential issues with track and a guess at the problem with HSRP. Jon is quite correct that by default track an interface will lower the priority by 10. So if you set the interface priorities as 150 and 100 even if track does lower the priority it will not cause traffic to use the other router. So you either need to configure HSRP to decrement by a larger amount or you need to set the interface priorities to be less than 10 apart. The other factor to consider is that track interface depends on the interface changing to the protocol down state. There are frequently circumstances where you may lose connectivity over an Ethernet interface but the interface will remain in the protocol up state in which HSRP will not decrement its priority. So you might need something like IP SLA to check on reachability through the Ethernet interface.

The symptoms sound like there might be some connectivity issues. At the point where a PC assigned to group 1 is not able to ping 192.168.0.254 is that PC able to ping 192.168.0.3 and if so what does traceroute to 192.168.0.3 show?

HTH

Rick

Hi Richard,

the hosts are able to ping the "physical" DG with no problem, they can not ping the virtual DG given to them by HSRP. 

I corrected the track issue (as seen by the input of my last replay) but that wasn`t the problem. when no HSRP is configured, group 1 goes to the server through router 1 and group 2 does it through router 2, thus there can not be a connectivity issue here. after configuring only one HSRP address (for group 1) everything still works fine (for that group). adding HSRP DG to group 2 also works well. only when configuring the load-sharing things get messy. it works for 10 seconds, and suddenly - none of the clients are able to reach their virtual router.

been tracking the packet to see what happens to it. so as we all know, the mac address of the virtual interface ends with F001 for group 1 (router 1) and F002 for group 2 frames (router 2)

checking the arp table at the routers looks fine: they both know that 192.168.0.254 is F001 and 192.168.0.238 is F002. so far so good.

checking the switch mac-table also shows everything in order: f0/4 for F001 and f0/5 for F002.

but when sending the frames from the client, frame F001 arrives to the switch and chooses f0/5 - as if router #1 had crushed and the standby came into the game, which of course never happened.

the router that receives that frame is not building the layer 3 of course, and says "the mac address destination does not match the port"

I think it`s a bug, there is no way the basic configuration is wrong (aside the tracking decrement issue - thanks for that)

I do see that the priority/decrement issue has been fixed. And the output of show standby brief looks appropriate. So perhaps it is a bug issue.

HTH

Rick

Just an aside question, have you considered using GLBP?

of course, with GLBP it`s no big deal, I can also use vlan`s to separate the groups and it would work find with HSRP, but I just wondered why is it happening...

where does 192.168.0.1 come from? doesn't match your previous hsrp config

yes, Richard, you are right. the thing is I tries to use the physical interfaces rather than the sub-interfaces, thinking that maybe vlan is causing some sort of clash, so the original question was with sub-interfaces 192.168.0.2 and 192.168.0.3 and the new configuration, the one without sub-interfaces, was 192.168.0.1 and 192.168.0.2. I also re-configured the hsrp virtual address (111 & 112 to 254 & 138) but nothing helped, not the old config with the vlan 10 and not the new config with physical interfaces.

searched this thing over and over and I came to the conclusion it is nothing but a bug. there is nothing wrong with the statements and "show standby brief" proves it... so there is really nothing I can do about it.

thanks alot to everyone who answered and tried to help!