Solved: Re: One interface of my backup router isn't working correctly

Darktortue · ‎07-14-2020

Hello guys, first time I post something here but i'm confused.

For class, i have a project which requires me to have, at some point, 2 routers. One "main" router and a backup one. I'm using HSRP. The problem is that on my backup router, one interface is working perfectly, routing, hsrp, ospf etc... but on the other one, nothing is working. I can't ping, I can't receive ping, and because of this, it doesn't know the "main" router so hsrp has the active status.

I tried to put almost the same config on both of my routers but i just don't understand why it doesn't work.

I'll join you the config of the 2 routers, the "RLAN" is the main one and the "RLAN_backup" is the backup router. The interface g0/0 is working perfectly and the interface g0/1 on the "RLAN_backup" isn't working.

Thanks in advance for your help :)

Georg Pauwen · ‎07-15-2020

Hello,

I think the access lists are not allowing the HSRP hello packets. Try and add the lines in bold to all 4 access lists (two on each router):

ip access-list extended lan_rules
permit tcp 192.168.0.0 0.0.0.255 any eq domain
permit udp 192.168.0.0 0.0.0.255 any eq domain
permit ospf any any
permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
permit tcp any any gt 1023 established
permit icmp any any echo-reply
permit tcp 192.168.0.0 0.0.0.255 any eq smtp
--> permit ip any host 224.0.0.2
ip access-list extended rules_lan
permit tcp any host 192.168.0.253 eq smtp
permit ospf any any
permit icmp any any echo-reply
permit tcp any any eq www
permit udp any any eq domain
--> permit ip any host 224.0.0.2

View solution in original post

Georg Pauwen · ‎07-14-2020

Hello,

have a look at the below. Your main router will preempt, and both interfaces track each other. When either interface goes down, the priority of the other will be reduced by 25, so that both interfaces of the backup router can become active:

RLAN

interface GigabitEthernet0/0
ip address 192.168.0.251 255.255.255.0
ip access-group lan_rules out
ip nat inside
duplex auto
speed auto
standby 20 ip 192.168.0.254
standby 20 priority 105
standby 20 preempt
standby 20 track GigabitEthernet0/1 25
!
interface GigabitEthernet0/1
ip address 192.168.10.252 255.255.255.0
ip access-group rules_lan in
ip nat inside
duplex auto
speed auto
standby 30 ip 192.168.10.254
standby 30 priority 105
standby preempt
standby 30 track GigabitEthernet0/0 25

RLAN_Backup

interface GigabitEthernet0/0
ip address 192.168.0.250 255.255.255.0
ip access-group lan_rules out
ip nat inside
duplex auto
speed auto
standby 20 ip 192.168.0.254
!
interface GigabitEthernet0/1
ip address 192.168.10.251 255.255.255.0
ip access-group rules_lan in
ip nat inside
duplex auto
speed auto
standby 30 ip 192.168.10.254

Darktortue · ‎07-14-2020

Thanks for your answer but it still not working. I did your modification, now my RLAN_backup can ping but it cannot receive any ping, even if it's from a router or an host.

The interface g0/1 on the RLAN_backup is still in "active state" for the HSRP.

Maybe the problem is in my ip route idk...

Georg Pauwen · ‎07-15-2020

Hello,

I did not look at your routing, but indeed that does not look right. I am not sure if the diagram shows your entire network, but it looks like you basically just need one default route on both routers pointing out GigabitEthernet0/1 (towards the router peripherique).

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

Darktortue · ‎07-15-2020

Hello Georg,

I did remove all the previous routes i configured to put only

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

but its still not working. The ping is again not working anymore.

I have no idea about what could be the problem...

Btw, when I try to do a ping simulation from the "RLAN_backup", i have this error :

"1. The next-hop IP address is not in the ARP table. The ARP process tries to send an ARP request for that IP address and drops this packet."

When I try do to a ping simulation from the host to the "RLAN_backup", i have this error :

"1. The ARP request times out. The ARP process drops this buffered packet."

EDIT : I've joined you the new RLAN_Backup's running config.

Giuseppe Larosa · ‎07-15-2020

Hello @Darktortue ,

just to complete the HSRP configuration the interface command

standby preempt

is needed also on the standby router or it will not take over on both interfaces.

Hope to help

Giuseppe

Darktortue · ‎07-15-2020

Hello @Giuseppe Larosa

I added "Standby preempt" on my backup router, the standby one, but it didn't change anyting.

The status of my routeur is still active and it's impossible to communicate with any others routers or hosts.

Georg Pauwen · ‎07-15-2020

Hello,

post the running configs of both routers again with the changes you have implemented...

Darktortue · ‎07-15-2020

RLAN :

RLAN#show running-config 
Building configuration...

Current configuration : 1842 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname RLAN
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1524H0F6-
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 192.168.0.251 255.255.255.0
 ip access-group lan_rules out
 ip nat inside
 duplex auto
 speed auto
 standby 20 ip 192.168.0.254
 standby 20 priority 105
 standby 20 preempt
!
interface GigabitEthernet0/1
 ip address 192.168.10.252 255.255.255.0
 ip access-group rules_lan in
 ip nat inside
 duplex auto
 speed auto
 standby preempt
 standby 30 ip 192.168.10.254
 standby 30 priority 105
 standby 30 track GigabitEthernet0/0
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 network 192.168.0.0 0.0.0.255 area 0
 network 192.168.10.0 0.0.0.255 area 0
 default-information originate
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 
!
ip flow-export version 9
!
!
access-list 1 permit host 192.168.0.11
access-list 1 permit host 192.168.0.12
ip access-list extended lan_rules
 permit tcp 192.168.0.0 0.0.0.255 any eq domain
 permit udp 192.168.0.0 0.0.0.255 any eq domain
 permit ospf any any
 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit tcp any any gt 1023 established
 permit icmp any any echo-reply
 permit tcp 192.168.0.0 0.0.0.255 any eq smtp
ip access-list extended rules_lan
 permit tcp any host 192.168.0.253 eq smtp
 permit ospf any any
 permit icmp any any echo-reply
 permit tcp any any eq www
 permit udp any any eq domain
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

RLAN_Backup :

RLAN_Backup#show running-config 
Building configuration...

Current configuration : 1762 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname RLAN_Backup
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
license udi pid CISCO2911/K9 sn FTX1524QL03-
!
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 192.168.0.250 255.255.255.0
 ip access-group lan_rules out
 ip nat inside
 duplex auto
 speed auto
 standby 20 ip 192.168.0.254
 standby 20 preempt
!
interface GigabitEthernet0/1
 ip address 192.168.10.251 255.255.255.0
 ip access-group rules_lan in
 ip nat inside
 duplex auto
 speed auto
 standby preempt
 standby 30 ip 192.168.10.254
 standby 30 preempt
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 192.168.0.0 0.0.0.255 area 0
 network 192.168.10.0 0.0.0.255 area 0
 default-information originate
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 
!
ip flow-export version 9
!
!
ip access-list extended lan_rules
 permit tcp 192.168.0.0 0.0.0.255 any eq domain
 permit udp 192.168.0.0 0.0.0.255 any eq domain
 permit tcp any any gt 1023 established
 permit tcp any host 192.168.10.11 eq ftp
 permit ospf any any
 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit icmp any any echo-reply
 permit tcp host 192.168.0.253 any eq smtp
ip access-list extended rules_lan
 permit tcp any host 192.168.0.253 eq smtp
 permit ospf any any
 permit icmp any any echo-reply
 permit tcp any any eq www
 permit udp any any eq domain
!
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
 login
!
!
!
end

Georg Pauwen · ‎07-15-2020

Hello,

I think the access lists are not allowing the HSRP hello packets. Try and add the lines in bold to all 4 access lists (two on each router):

ip access-list extended lan_rules
permit tcp 192.168.0.0 0.0.0.255 any eq domain
permit udp 192.168.0.0 0.0.0.255 any eq domain
permit ospf any any
permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
permit tcp any any gt 1023 established
permit icmp any any echo-reply
permit tcp 192.168.0.0 0.0.0.255 any eq smtp
--> permit ip any host 224.0.0.2
ip access-list extended rules_lan
permit tcp any host 192.168.0.253 eq smtp
permit ospf any any
permit icmp any any echo-reply
permit tcp any any eq www
permit udp any any eq domain
--> permit ip any host 224.0.0.2

Darktortue · ‎07-15-2020

Hello my hero @Georg Pauwen

It's working now thank you !!

I thought about adding an ACL but honestly, because it was working on the interface g0/0, I was thinking that it was useless.

Thanks a lot to you and the people who tried to help :)