Solved: HSRP standby router is unknow

hnavi77 · ‎04-30-2022

Hello Team,

I am trying to figure out why my active HSRP router is not seeing the standby router (standby router is unknow).

**

D11(config)#do sh standby bri
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl10 0 150 P Active local unknown 10.10.10.254

**

I went with a very simple design to figure out what is happening.

I am using CML 3.0 with 2 routers (D11 and D12 -> HSRP) and a switch where i do have a desktop connected to it for testing purpose with one Interface vlan 10 on both routers. Switch device is configured with VLAN 10 only.

After debugging IP packet from both HSRP devices, i discovered that the active router (D11) is not receiving multicast IP address from D12. I do not have any ACL configured on any Routers and switches...

Below the configuration:

Active HSRP - Router D11

D11(config)#do sh run int g0/1
Building configuration...

Current configuration : 105 bytes
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
negotiation auto
end

D11(config-if)#do sh run int vlan 10
Building configuration...

Current configuration : 150 bytes
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
standby version 2
standby 0 ip 10.10.10.254
standby 0 priority 150
standby 0 preempt
end

*************************************

Standby HSRP - Router D11

D12(config)#do sh run int gi0/1
Building configuration...

Current configuration : 105 bytes
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
negotiation auto
end

D12(config)#do sh run int vlan 10
Building configuration...

Current configuration : 126 bytes
!
interface Vlan10
ip address 10.10.10.2 255.255.255.0
standby version 2
standby 0 ip 10.10.10.254
standby 0 preempt
end

********************************

Switch:

SW1(config)#do sh run int gi0/1
Building configuration...

Current configuration : 105 bytes
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
negotiation auto
end

SW1(config)#do sh run int gi0/2
Building configuration...

Current configuration : 105 bytes
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
negotiation auto
end

**********************************

Debugging from D11:

D11(config)#$ 100 permit udp host 10.10.10.2 host 224.0.0.102 eq 1985
D11(config)#$ 100 permit udp host 10.10.10.1 host 224.0.0.102 eq 1985

D11(config)#do debug ip pack 100
IP packet debugging is on for access list 100

D11(config)#
*Apr 29 16:38:30.496: IP: s=10.10.10.1 (local), d=224.0.0.102 (Vlan10), len 80, local feature, Auth Proxy(16), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 29 16:38:30.496: IP: s=10.10.10.1 (local), d=224.0.0.102 (Vlan10), len 80, sending broad/multicast
*Apr 29 16:38:30.496: IP: s=10.10.10.1 (local), d=224.0.0.102 (Vlan10), len 80, sending full packet
D11(config)#

***************************

Debugging from D12:

D12(config)#do sh run | s access-list
access-list 100 permit udp host 10.10.10.2 host 224.0.0.102 eq 1985
access-list 100 permit udp host 10.10.10.1 host 224.0.0.102 eq 1985
D12(config)#do debug ip pack 100
IP packet debugging is on for access list 100

D12(config)#
*Apr 29 16:38:14.149: IP: s=10.10.10.1 (Vlan10), d=224.0.0.102, len 80, rcvd 0
*Apr 29 16:38:14.150: IP: s=10.10.10.1 (Vlan10), d=224.0.0.102, len 80, input feature, packet consumed, MCI Check(109), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 29 16:38:14.495: IP: s=10.10.10.2 (local), d=224.0.0.102 (Vlan10), len 80, local feature, Auth Proxy(16), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 29 16:38:14.496: IP: s=10.10.10.2 (local), d=224.0.0.102 (Vlan10), len 80, sending broad/multicast
*Apr 29 16:38:14.497: IP: s=10.10.10.2 (local), d=224.0.0.102 (Vlan10), len 80, sending full packet
D12(config)#

Thanks for your help, in advance if you can figure out what's going one.

David Ruess · ‎05-01-2022

@hnavi77 I have attached the file with the requested output. I have the configuration of all 3 devices on there with separation indicators, and lower down the file I put an alternate port configuration that also works. They all should either be access port or all be trunk ports. It didn't work if access/trunk configuration was used. Please let me know if you have any questions.

D11#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl10 0 150 P Active local 10.10.10.2 10.10.10.254

D12#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl10 0 100 P Standby 10.10.10.1 local 10.10.10.254
D12#

-David

View solution in original post

MHM Cisco World · ‎04-30-2022

no ip igmp snooping in SW

hnavi77 · ‎04-30-2022

Applied it in global config of switch but this doesn't fix the problem.

Georg Pauwen · ‎04-30-2022

Hello,

the access list does not look right. Use the one below:

access-list 100 permit udp any host 224.0.0.102 eq 1985

hnavi77 · ‎04-30-2022

Hello Georg,

My acl = yours:

access-list 100 permit udp host 10.10.10.2 host 224.0.0.102 eq 1985
access-list 100 permit udp host 10.10.10.1 host 224.0.0.102 eq 1985

**

access-list 100 permit udp any host 224.0.0.102 eq 1985

MHM Cisco World · ‎04-30-2022

no ip igmp snooping in all SW
also check VTP I think the domain is mismatch and this broke the HSRP connection.

show standby <-if both two step not solve issue

hnavi77 · ‎04-30-2022

I dont have VTP configured at all, do you think this may be the reason?

let me configure it, curious to see the result.

hnavi77 · ‎04-30-2022

Problem not resolved.

VTP configured on 3 sw:

D11(config-if)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : test
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5254.0000.8000
Configuration last modified by 10.10.10.1 at 4-29-22 19:01:39
Local updater ID is 10.10.10.1 on interface Vl10 (lowest numbered VLAN interface found)

Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0x11 0x42 0x46 0x66 0xDC 0xD7 0x27 0x38
0x1A 0xCF 0x97 0x0F 0xCF 0x8A 0xE5 0xAF

**

SW1(config-if)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : test
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5254.0000.8000
Configuration last modified by 0.0.0.0 at 4-29-22 19:01:16
Local updater ID is 10.10.10.100 on interface Vl10 (lowest numbered VLAN interface found)

Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0x64 0xAA 0x27 0x4A 0x80 0x83 0x48 0xB7
0xE6 0x9A 0x09 0x74 0xBC 0xE8 0x4B 0xA4

**

D12(config-if)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : test
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5254.0000.8000
Configuration last modified by 10.10.10.2 at 4-29-22 19:04:51
Local updater ID is 10.10.10.2 on interface Vl10 (lowest numbered VLAN interface found)

Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0x7C 0x28 0x92 0xFE 0xE7 0x8A 0x75 0xED
0x42 0x8F 0xBF 0xBF 0xC6 0xD9 0xD3 0xC4

**

Standby config - D11:

D11(config-if)#do sh standby
Vlan10 - Group 0 (version 2)
State is Active
12 state changes, last state change 00:03:07
Virtual IP address is 10.10.10.254
Active virtual MAC address is 0000.0c9f.f000 (MAC In Use)
Local virtual MAC address is 0000.0c9f.f000 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.016 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 150 (configured 150)
Group name is "hsrp-Vl10-0" (default)

Standby config - D12:

Vlan10 - Group 0 (version 2)
State is Standby
28 state changes, last state change 00:04:30
Virtual IP address is 10.10.10.254
Active virtual MAC address is 0000.0c9f.f000 (MAC Not In Use)
Local virtual MAC address is 0000.0c9f.f000 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.736 secs
Preemption enabled
Active router is 10.10.10.1, priority 150 (expires in 8.672 sec)
MAC address is 5254.0000.800a
Standby router is local
Priority 100 (default 100)
Group name is "hsrp-Vl10-0" (default)
D12(config-if)#

Georg Pauwen · ‎04-30-2022

Hello,

where and how did you apply the access lists ? Post the full running configurations of both routers, as it is not visible from the snippets you posted what the access lists do.

Georg Pauwen · ‎04-30-2022

Hello,

your access list is wrong and breaks the HSRP neighborship.

Use the one I suggested.

access-list 100 permit udp any host 224.0.0.102 eq 1985

MHM Cisco World · ‎04-30-2022

All sw must have same vtp domain

hnavi77 · ‎04-30-2022

Hello Georg,

I am not using any acl on my configuration.

The one i used is only for filtering ip traffic with the debug ip packet ACL.

Config of D11:

D11(config-if)#do sh run
Building configuration...

Current configuration : 3006 bytes
!
! Last configuration change at 17:27:25 UTC Fri Apr 29 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname D11
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ip igmp snooping
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
negotiation auto
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet0/2
negotiation auto
!
interface GigabitEthernet0/3
negotiation auto
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
standby version 2
standby 0 ip 10.10.10.254
standby 0 priority 150
standby 0 preempt
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
access-list 100 permit udp host 10.10.10.2 host 224.0.0.102 eq 1985
access-list 100 permit udp host 10.10.10.1 host 224.0.0.102 eq 1985
!
!
!
!
control-plane
!
banner exec ^C
IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner incoming ^C
IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner login ^C
IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

D11(config-if)#

***************************

Config of D12:

D12(config-if)#do sh run
Building configuration...

Current configuration : 2982 bytes
!
! Last configuration change at 14:31:46 UTC Fri Apr 29 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname D12
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ip igmp snooping
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
negotiation auto
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
negotiation auto
!
interface GigabitEthernet0/2
negotiation auto
!
interface GigabitEthernet0/3
negotiation auto
!
interface Vlan10
ip address 10.10.10.2 255.255.255.0
standby version 2
standby 0 ip 10.10.10.254
standby 0 preempt
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
access-list 100 permit udp host 10.10.10.2 host 224.0.0.102 eq 1985
access-list 100 permit udp host 10.10.10.1 host 224.0.0.102 eq 1985
!
!
!
!
control-plane
!
banner exec ^C
IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner incoming ^C
IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
banner login ^C
IOSv - Cisco Systems Confidential -

Supplemental End User License Restrictions

This IOSv software is provided AS-IS without warranty of any kind. Under no circumstances may this software be used separate from the Cisco Modeling Labs Software that this software was provided with, or deployed or used as part of a production environment.

By using the software, you agree to abide by the terms and conditions of the Cisco End User License Agreement at http://www.cisco.com/go/eula. Unauthorized use or distribution of this software is expressly prohibited.
^C
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

D12(config-if)#

hnavi77 · ‎04-30-2022

Hello MHM,

i am not using trunk configuration at all from the swithes, so VTP is useless for my topology.

i am using access port with vlan 10 only. I am trying to have a simple topology to understand this issue. Because i am having similar issue in my more complex topology.

David Ruess · ‎04-30-2022

Hello,

A couple things you could try.

Connect a cable between the two HSRP devices and eliminate traffic going through the switch. First make it an access port like you did. If it works is might be a switch config issues (still not sure what)

If that doesn't work change that link you just added (bypassing the switch) into a trunk to see if that works.

Second thing to try is make all links (except PC link) a trunk to see if that fixes it.

It could narrow down some issues for you

Hope that helps

-David

MHM Cisco World · ‎04-30-2022

friend

even if you config SVI still both SW is L2 you need command
ip routing
to make them L3 SW.