12-27-2011 02:45 PM - edited 03-04-2019 02:45 PM
Hi
I have 2 x 2901 in a hsrvp setup.
so I have some wan ports attached to both of these routers and I have 1 port from each router attached 1 a sw (switches in clustered mode). and 1 port attach to each other.
The ports from the router to the switch and each other are part of vlan1 and I have hsrp configured on vlan1
interface Vlan1
description to firewall
ip address a.b.c.252 mask
standby 0 ip a.b.c.254
standby 0 preempt
standby 0 authentication md5 key-string 7 THISISSOMETHIG
standby 0 name internet
interface Vlan1
description to firewall
ip address a.b.c.253 mask
standby 0 ip a.b.c.254
standby 0 preempt
standby 0 authentication md5 key-string 7 THISISSOMETHIG
standby 0 name internet
my problem is when i log into the standby router I can't ping the VIP a.b.c.254
standby seems to be working.
Alex
12-29-2011 02:14 AM
are not sure.
it does have a wic in there, but not sure what command to display the module types ?
Alex
12-29-2011 02:41 AM
if the wic has like 4-8-16 ports then is a switching module. If not then you are using the LAN interfaces
12-29-2011 03:04 AM
Hi
Where is the LAN ? how the systems are conncted in the LAN ..Diagram has routers and Firewall's..Do you have switches in the network ?
With Rgds,
Satish
12-29-2011 03:16 AM
The lan is on the other side of the firewall. But the question is why can't standby router ping the VIP ?
12-29-2011 03:17 AM
Why would it make a difference ?
not sure i understand
12-29-2011 03:21 AM
On which device you have configured Vlan 1 ?
12-29-2011 04:00 AM
Do you have any ip address on g0/0/0 the interface that connects the 2 routers? you will have to configure and ip address on both primary and secondary g0/0/0 interfaces and the VIP should be from same subnet. Then you will have to configure a route on the firewalls to point to the VIP. You can not configure the g0/0/3 and g0/0/0 on the same network...router will say that ip overlaps. I have created a set up similar as yours and I used subinterfaces on the routers but I had to create 5 subnets, one to each firewall, one between the routers, and 2, one from each router to Internet. It is just basic config for routers with static routing.
I have tested by shuting down serial interfae on Primary and Secondary becomes Primary, then open the interface on Primary and routers change roles again.
I will post the picture if you like
Eugen
12-29-2011 11:12 AM
Um i use the vlan1 interface which binds together the interfaces so I only have to put an address on the vlan interface not all the interfaces
I don't want to use static routers. I have bgp installed and working.
i think we moving away from the the issue.
standby router can't ping the VIP. it can ping everything else.
12-29-2011 06:08 PM
Hi Alex,
I didn't suggest you to use static routes, I have used static routes in my simulation to try to understand what the problem is and how can be solved.
On the routers you have, you can't setup an IP address to a vlan, like you do on the switch, unless the interfaces you mentioned (g0/0/0 -g0/0/3) are part of a switching module installed on the router.
If your g0/0/0 interfaces between the two routers are up and up, then the problem could be with bgp peer configuration.
If interfaces g0/0/0 are up on both routers but line protocol is down then your ping goes to the firewall first and you need to check if it allows pings on outside interface( i guess it is configured as an outside the one connecting to your secondary router).
You can use an extended ping from seondary and record the hops it goes thru, then you will know for sure which way it goes out of router.
One other suggestion is copy the running configurations from both routers, and if you have spare 2 routers connect them together like your topology, use loopback to simulate internet and firewalls and see if it works.
This is all I can suggest now based on the info you provided.
Good luck and hope that you will get to the bottom of it.
Eugen
12-29-2011 10:02 PM
hi
Thanks for that, I must have missed understood you in regards to the statics!.
I can understand what you are saying about the switch module and such and I believe it is a switch module.
unfortunately I don't any spare routers
extended ping ? i have specified a source interface vlan1
still no luck.
I am still not sure its a routing issue, casue I can ping the other addresses .253 and .250 ...
I will have some time to run some more tests next year (this weekend )
A
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide