cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Problems with 2901 hsrvp

Alex Samad
Beginner
Beginner

Hi

I have 2 x 2901 in a hsrvp setup.

so I have some wan ports attached to both of these routers and I have 1 port from each router attached 1 a sw (switches in clustered mode). and 1 port attach to each other.

The ports from the router to the switch and each other are part of vlan1 and I have hsrp configured on vlan1

interface Vlan1

description to firewall

ip address a.b.c.252 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

interface Vlan1

description to firewall

ip address a.b.c.253 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

my problem is when i log into the standby router I can't ping the VIP a.b.c.254

standby seems to be working.

Alex

39 REPLIES 39

Hi

Pretty sure authentication is okay, they heartbeats seem to be working and not timing out. also for the brief period I had one authenticated and one not authenticated I received errors in my syslog, which went away once I reconfigured the second interface.

as for the delay time

not sure what it is nor how it will help me ping the vip from the standby router

The delay time is for the primary to know how long to wait to become primary again, usually is greater than default to give enough time for routing protocol to converge (bgp takes a bit longer than ospf or eigrp).

I am thinking that you should change priority on the secondary to become primary for a while,this will associate mac address of secondary with VIP, because at the moment the primary doesn't know where to send the ping replies. The secondary MAC address is associated with IP address of interface but not with VIP in the primary MAC table.

Other option is to create a static mapping on the primary for secondary MAC and VIP.

I hope this helps

Eugen

add on to previous message...

this is entry for secondary on your primary

Internet  a.b.c.252           -   c471.fe78.4923  ARPA   Vlan1

The primary needs to have an entry for the

c471.fe78.4923 to be associated with a.b.c.254 as well

If you make secondary primary for a while then primary will learn and asociated the MAC with VIP as well

Okay I am lost on what you are trying to say is the problem and what the potential fix might be.

if i ignore the standby router, I can ping .254 from other devices, for ex the firewall and from the internet (as long as its not routed over the standby router).

I can ping from the primary to the standby using the fixed addresses (.253, .252)  and vis versa, what I can't do is ping from the standby to the VIP (which is on the primary).

I did a packet debug which showed that the packet was actually leavin the router on the right interface (I believe)

>>The delay time is for the primary to know how long to wait to become primary again, usually is greater than default to give enough time for routing protocol >>to converge (bgp takes a bit longer than ospf or eigrp).

okay I will have to look at this once I have solved this problem.

>>I am thinking that you should change priority on the secondary to become primary for a while,this will associate mac address of secondary with VIP, >>because at the moment the primary doesn't know where to send the ping replies. The secondary MAC address is associated with IP address of interface >>but not with VIP in the primary MAC table.

??? I didn't actually show the mac table on the primary router.  but  why it think this is not the case is

primary                                    standby

a.b.c.253                              a.b.c.252

from

a.b.c.253 i can ping a.b.c.252

a.b.c.252 i can ping a.b.c.253

a.b.c.253 i can ping a.b.c.254

I can't ping a.b.c.254 from a.b.c.252

so from this I can presume that primary can ping standby.

as this is production stuff I don't want to push over VIP.

This is actually all part of testing the redundancy and to see if it works as advertised so currently I don't have faith in it actually working . I see not reason for it not to but I don't see any reason for it not to be able to ping 254 from 252 either

>>Other option is to create a static mapping on the primary for secondary MAC and VIP.

I don't get this, why would I want to hard code routing for a floating VIP ?  and what would it do when the VIP exist on the local router ?

Alex

The static mapping is just to verify that there is redundancy and you will be able to test pings from secondary.

If it is a live environment, i guess you should test it when there is not much traffic. The only thing you should change is the priority value on secondary, wait until it becomes primary, ping the VIP from both and if all is good, just change the priority back to previous values.

Eugen

kmothukuri
Beginner
Beginner

Dear Alex ,

how is the connectivity of switches..Can you provide us network diagram..

With rgds,

Satish

Does that help

The standby config is configured on vlan1, which gi0/0/ gi0/0/3 are members of

Hi ,

Can you provide us config of interfaces which are conncted to switches back to back.

Have you configured ether channel for connecting switches ?

With Rgds,

Satish

primary

interface GigabitEthernet0/0/0

description connect standby

interface GigabitEthernet0/0/3

description connect asa

interface Vlan1

ip address a.b.c.253 255.255.255.0

standby 0 ip a.b.c..254

standby 0 priority 105

standby 0 preempt

standby 0 authentication md5 key-string 7 something

standby 0 name internet

standby

interface GigabitEthernet0/0/0

description connect primary

!        

!        

interface GigabitEthernet0/0/3

description connect asa5000

interface Vlan1

description to firewall

ip address a.b.c.252 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

Alex

Switch1G0/0/0 ---- G0/0/0 Switch2 Am i right...

Is it trunk port ? if it is trunk port which vlan's are allowed..

This is a cisco asa 5000 firewall appliance... i don't believe its trunk.. but only vlan1

Hi Alex ,

How is the connectivity between switches ?

?? sorry I don't think I understand ??

The 2  2901's connect by cable to each other and by cable to 2 asa5000 firewall applainces which are in a active/passive stack/cluster..

Does the 2901 routers have switching module installed, or you use the default LAN interfaces to connect between routers?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: