12-27-2011 02:45 PM - edited 03-04-2019 02:45 PM
Hi
I have 2 x 2901 in a hsrvp setup.
so I have some wan ports attached to both of these routers and I have 1 port from each router attached 1 a sw (switches in clustered mode). and 1 port attach to each other.
The ports from the router to the switch and each other are part of vlan1 and I have hsrp configured on vlan1
interface Vlan1
description to firewall
ip address a.b.c.252 mask
standby 0 ip a.b.c.254
standby 0 preempt
standby 0 authentication md5 key-string 7 THISISSOMETHIG
standby 0 name internet
interface Vlan1
description to firewall
ip address a.b.c.253 mask
standby 0 ip a.b.c.254
standby 0 preempt
standby 0 authentication md5 key-string 7 THISISSOMETHIG
standby 0 name internet
my problem is when i log into the standby router I can't ping the VIP a.b.c.254
standby seems to be working.
Alex
12-28-2011 02:31 PM
Hi
Pretty sure authentication is okay, they heartbeats seem to be working and not timing out. also for the brief period I had one authenticated and one not authenticated I received errors in my syslog, which went away once I reconfigured the second interface.
as for the delay time
not sure what it is nor how it will help me ping the vip from the standby router
12-28-2011 06:38 PM
The delay time is for the primary to know how long to wait to become primary again, usually is greater than default to give enough time for routing protocol to converge (bgp takes a bit longer than ospf or eigrp).
I am thinking that you should change priority on the secondary to become primary for a while,this will associate mac address of secondary with VIP, because at the moment the primary doesn't know where to send the ping replies. The secondary MAC address is associated with IP address of interface but not with VIP in the primary MAC table.
Other option is to create a static mapping on the primary for secondary MAC and VIP.
I hope this helps
Eugen
12-28-2011 06:45 PM
add on to previous message...
this is entry for secondary on your primary
Internet a.b.c.252 - c471.fe78.4923 ARPA Vlan1
The primary needs to have an entry for the
c471.fe78.4923 to be associated with a.b.c.254 as well
If you make secondary primary for a while then primary will learn and asociated the MAC with VIP as well
12-28-2011 06:52 PM
Okay I am lost on what you are trying to say is the problem and what the potential fix might be.
if i ignore the standby router, I can ping .254 from other devices, for ex the firewall and from the internet (as long as its not routed over the standby router).
I can ping from the primary to the standby using the fixed addresses (.253, .252) and vis versa, what I can't do is ping from the standby to the VIP (which is on the primary).
I did a packet debug which showed that the packet was actually leavin the router on the right interface (I believe)
12-28-2011 06:47 PM
>>The delay time is for the primary to know how long to wait to become primary again, usually is greater than default to give enough time for routing protocol >>to converge (bgp takes a bit longer than ospf or eigrp).
okay I will have to look at this once I have solved this problem.
>>I am thinking that you should change priority on the secondary to become primary for a while,this will associate mac address of secondary with VIP, >>because at the moment the primary doesn't know where to send the ping replies. The secondary MAC address is associated with IP address of interface >>but not with VIP in the primary MAC table.
??? I didn't actually show the mac table on the primary router. but why it think this is not the case is
primary standby
a.b.c.253 a.b.c.252
from
a.b.c.253 i can ping a.b.c.252
a.b.c.252 i can ping a.b.c.253
a.b.c.253 i can ping a.b.c.254
I can't ping a.b.c.254 from a.b.c.252
so from this I can presume that primary can ping standby.
as this is production stuff I don't want to push over VIP.
This is actually all part of testing the redundancy and to see if it works as advertised so currently I don't have faith in it actually working . I see not reason for it not to but I don't see any reason for it not to be able to ping 254 from 252 either
>>Other option is to create a static mapping on the primary for secondary MAC and VIP.
I don't get this, why would I want to hard code routing for a floating VIP ? and what would it do when the VIP exist on the local router ?
Alex
12-28-2011 07:34 PM
The static mapping is just to verify that there is redundancy and you will be able to test pings from secondary.
If it is a live environment, i guess you should test it when there is not much traffic. The only thing you should change is the priority value on secondary, wait until it becomes primary, ping the VIP from both and if all is good, just change the priority back to previous values.
Eugen
12-28-2011 08:58 PM
Dear Alex ,
how is the connectivity of switches..Can you provide us network diagram..
With rgds,
Satish
12-28-2011 09:54 PM
Does that help
The standby config is configured on vlan1, which gi0/0/ gi0/0/3 are members of
12-28-2011 10:30 PM
Hi ,
Can you provide us config of interfaces which are conncted to switches back to back.
Have you configured ether channel for connecting switches ?
With Rgds,
Satish
12-28-2011 11:03 PM
primary
interface GigabitEthernet0/0/0
description connect standby
interface GigabitEthernet0/0/3
description connect asa
interface Vlan1
ip address a.b.c.253 255.255.255.0
standby 0 ip a.b.c..254
standby 0 priority 105
standby 0 preempt
standby 0 authentication md5 key-string 7 something
standby 0 name internet
standby
interface GigabitEthernet0/0/0
description connect primary
!
!
interface GigabitEthernet0/0/3
description connect asa5000
interface Vlan1
description to firewall
ip address a.b.c.252 mask
standby 0 ip a.b.c.254
standby 0 preempt
standby 0 authentication md5 key-string 7 THISISSOMETHIG
standby 0 name internet
Alex
12-28-2011 11:13 PM
Switch1G0/0/0 ---- G0/0/0 Switch2 Am i right...
Is it trunk port ? if it is trunk port which vlan's are allowed..
12-28-2011 11:15 PM
This is a cisco asa 5000 firewall appliance... i don't believe its trunk.. but only vlan1
12-29-2011 12:21 AM
Hi Alex ,
How is the connectivity between switches ?
12-29-2011 01:07 AM
?? sorry I don't think I understand ??
The 2 2901's connect by cable to each other and by cable to 2 asa5000 firewall applainces which are in a active/passive stack/cluster..
12-29-2011 02:09 AM
Does the 2901 routers have switching module installed, or you use the default LAN interfaces to connect between routers?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: