08-04-2012 12:42 AM - edited 03-04-2019 05:10 PM
Hi Friends,
I am seeking your expert opinion to help me to troubleshoot the below scenario;
I have Internet connection in Ethernet Medium connected to a L2 Switch (Cisco 2960). I have 2 Routers (Cisco 2900). I have a webserver to be accessed from Internet. The physical IP address of the server is Private range.
I have configured Stateful NAT as below
157.220.100.61 is Static NAT to 10.1.1.3 using redundancy
Though HSRP is working good, when RTR-1 is down, I am not able to reach Webserver (10.1.1.3) using RTR-2
We found in the that ISP Switch, that even when RTR-1 is down, the MAC address for 157.220.100.61 is still present one pointing to RTR-1 and other pointing to RTR-2. There are 2 MAC address entries for 157.220.100.61
What is the mistake and what is the workaround. Can you help me
regards,
SAIRAM
08-04-2012 03:56 AM
What you should do is configure hsrp on the inside as well and make your vIP the default gateway for the server. Then you'll only have one vMAC associated to the vIP address that you have assigned and you're problem should be resolved.
HTH,
John
08-04-2012 11:09 AM
Thanks John,
Yes, I have HSRP configured in both Inside (LAN) interface and WAN interface. The problem is static nat Public IP address 157.220.100.61 is resolved with MAC address of both RTR-1 and RTR-2
Hope I have explained the problem correctly
Thanks in advance
regards
SAIRAM
08-05-2012 06:03 AM
Sairam,
Sorry for not getting back with you sooner. Okay, since you're running hsrp on the inside, how are you testing? If you're pulling the circuit leading to the ISP, the inside interface is still up. The server's default gateway is the vIP of the hsrp group and, assuming RTR-1 is the active for the group, RTR-2 never changes over to the active state for the LAN side interface but will for the WAN (if you're pulling the circuit). If that's the case, you'll need to configure ip sla and tracking for the standby group to relinquish the role of active on the lan side if the wan interface goes into standby. (More on this in a moment.)
The other issue is that you should have the same nat translation on both routers. I'll assume that you have that, so I'll put below what you can do for sla:
ip sla monitor 1
type echo protocol ipicmpecho 157.220.100.1
frequency 5
ip sla monitor schedule 1 start now life forever
track 1 rtr 1 reachability
int
standby 1 track 1 decrement 10
The decrement command is to decrease the priority. The goal is to get the priority lower than standby for preempt to happen. Once the WAN circuit goes down, the router will know (because of the ping happening in the background) and tracking will fail. Once it fails, your outside interface will go into standby for natural causes and then you're internal will fail over because of the tracking failure. Try it out and let me know if you have any issues with it.
Thanks!
John
08-07-2012 12:00 AM
Hi John
Thank you very much for your support.You explained the IP SLA in a more precise way. I appreciate this.
IP SLA is already there. Let me explain the problem and my troubleshooting
Problem: Configured Stateful NAT for Static NAT. HSRP is in Inside (LAN). During HSRP failover, I am seeing 2 MAC address for the Same IP address one pointing to RTR-1 and other pointing to RTR-2. So, I am not able to reach the Servers behind the static NAT
08-07-2012 02:19 AM
I see the problem... when you are doing static nat on both routers hsrp group name should be hsrp group name configured on internal (inside) nat interface...
try this:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnthsrp.html
note that after change state of hsrp on a router to active... active router will generate few ARP packets with new information in translated direction (with static inside global address and physical mac of router interface... this way it should update information on ISP router.... what sees L2 switch in ARP is i hope not relevant.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide