cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3872
Views
2
Helpful
39
Replies

Problems with 2901 hsrvp

Alex Samad
Level 1
Level 1

Hi

I have 2 x 2901 in a hsrvp setup.

so I have some wan ports attached to both of these routers and I have 1 port from each router attached 1 a sw (switches in clustered mode). and 1 port attach to each other.

The ports from the router to the switch and each other are part of vlan1 and I have hsrp configured on vlan1

interface Vlan1

description to firewall

ip address a.b.c.252 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

interface Vlan1

description to firewall

ip address a.b.c.253 mask

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 THISISSOMETHIG

standby 0 name internet

my problem is when i log into the standby router I can't ping the VIP a.b.c.254

standby seems to be working.

Alex

39 Replies 39

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Alex,

Can you set a priority for the master switch and test again?

example:

standby 2 priority 110
also the group range is from 1 to 255.  Can you try a different group number between 1 and 255?

HTH

Hi

I actually have, sorry I cut and pasted from the slave router

primary

interface Vlan1

ip address a.b.c.d.253 255.255.255.0

standby 0 ip a.b.c.d.254

standby 0 priority 105

standby 0 preempt

standby 0 authentication md5 key-string 7 SOMETHING

standby 0 name internet

sho standby

Vlan1 - Group 0

  State is Active

    1 state change, last state change 38w4d

  Virtual IP address is a.b.c.254

  Active virtual MAC address is 0000.0c07.ac00

    Local virtual MAC address is 0000.0c07.ac00 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 2.544 secs

  Authentication MD5, key-string

  Preemption enabled

  Active router is local

  Standby router is a.b.c.252, priority 100 (expires in 10.000 sec)

  Priority 105 (configured 105)

  Group name is "internet" (cfgd)

backup router

interface Vlan1

ip address a.b.c.252 255.255.255.0

standby 0 ip a.b.c.254

standby 0 preempt

standby 0 authentication md5 key-string 7 SMOETHING

standby 0 name internet

show standby

Vlan1 - Group 0

  State is Standby

    4 state changes, last state change 1d03h

  Virtual IP address is a.b.c.254

  Active virtual MAC address is 0000.0c07.ac00

    Local virtual MAC address is 0000.0c07.ac00 (v1 default)

  Hello time 3 sec, hold time 10 sec

    Next hello sent in 2.448 secs

  Authentication MD5, key-string

  Preemption enabled

  Active router is a.b.c.253, priority 105 (expires in 9.360 sec)

  Standby router is local

  Priority 100 (default 100)

  Group name is "internet" (cfgd)

so ping from primary to .254 work

ping from secondard to 254 times out ....

gfcisco31
Level 1
Level 1

Many things can cause such behaviour...

Let`s try the most common one first.

Check wether both routers are listening to 224.0.0.2 (.102 is its hsrp v2), to do that issue the command "sh ip interface" on both routers.

I would suggest to remove the config and apply again, in case you suspect they are not hearing each other, also you can try to ping the MCAST address to see who responds the icmp echo request.

hope this helps

Please, rate useful posts.

sh ip interface

shows me vlan1 on both routers has

224.0.0.2 associated with it

I tried pinging the 224.0.0.2 address and I got replies from the not only the local addresses, but also the wan addresses attached to the router ??

I don't believe that the routers are not hearing the heartbeats.

So i can ping the .254 address from primary router and from another device except from the the secondary router..

but it means any traffic coming in on the secondary can't ping .254

What about arp cache on stanby router.

i presume you mean

show arp

and see if the mac address is in the table.. it is and its the correct one

same on the primary

yes, you presumed correctly.

so, the address a.b.c.254 is bounded to MAC 0000.0c07.ac00

there's a thread, i haven't gone through it all,  you can try.

https://supportforums.cisco.com/thread/2037773

Hi

Not sure if that is the same problem I am having.

So except for the standby router. All other devices on the ethernet segment can ping .254 and they can ping the real address of the routers (pri & sec).

pri can ping .254 .253 .252

but sec can only ping .253 .252 (the real addresses of the routers...

Alex

Hi Alex,

here's more you can try :

on the standby router.

"sh ip route x.x.x.254" , see if recognises the address.

check the output of

access-list 101 permit icmp any any

debug ip packet detail 101

end

ping x.x.x.254

see if the output gives any clues- see if its getting routed or not,

also, check whether there is any ACL blocking udp 1985,

sh ip rou

show me that the router believes it is on vlan1 directly connected (the right info)

Q) dont I have to attach 101 to an interface ? in my case vlan1

and isn't there an implied deny any any at the end of the list

tried it any way

025026: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254, len 100, local feature

025027: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0, Policy Routing(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025028: Dec 28 15:23:26 AEDT: FIBipv4-packet-proc: route packet from (local) src a.b.c.252 dst a.b.c.254

025029: Dec 28 15:23:26 AEDT: FIBfwd-proc: packet routed by adj to Vlan1 a.b.c.254

025030: Dec 28 15:23:26 AEDT: FIBipv4-packet-proc: packet routing succeeded

025031: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending

025032: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0

025033: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025034: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0, Post-Ingress-NetFlow(62), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025035: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025036: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0, Post-Input-Flexible-NetFlow(73), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025037: Dec 28 15:23:26 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending full packet

025038: Dec 28 15:23:26 AEDT:     ICMP type=8, code=0

025040: Dec 28 15:23:27 AEDT:  IP: s=a.b.c.253, d=224.0.0.2, pak 2A16FD60 consumed in input feature , packet consumed, MCI Check(73), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE.

025041: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254, len 100, local feature

025042: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0, Policy Routing(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025043: Dec 28 15:23:28 AEDT: FIBipv4-packet-proc: route packet from (local) src a.b.c.252 dst a.b.c.254

025044: Dec 28 15:23:28 AEDT: FIBfwd-proc: packet routed by adj to Vlan1 a.b.c.254

025045: Dec 28 15:23:28 AEDT: FIBipv4-packet-proc: packet routing succeeded

025046: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending

025047: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0

025048: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025049: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0, Post-Ingress-NetFlow(62), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025050: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, output feature

025051: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0, Post-Input-Flexible-NetFlow(73), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025052: Dec 28 15:23:28 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254 (Vlan1), len 100, sending full packet

025053: Dec 28 15:23:28 AEDT:     ICMP type=8, code=0.

025054: Dec 28 15:23:30 AEDT:  IP: s=a.b.c.253, d=224.0.0.2, pak 2A866DF8 consumed in input feature , packet consumed, MCI Check(73), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025055: Dec 28 15:23:30 AEDT: IP: s=a.b.c.252 (local), d=a.b.c.254, len 100, local feature

025056: Dec 28 15:23:30 AEDT:     ICMP type=8, code=0, Policy Routing(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

025057: Dec 28 15:23:30 AEDT: FIBipv4-packet-proc: route packet from (local) src a.b.c.252 dst a.b.c.254

025058: Dec 28 15:23:30 AEDT: FIBfwd-proc: packet routed by adj to Vlan1 a.b.c.254

025059: Dec 28 15:23:30 AEDT: FIBipv4-packet-proc: packet routing succeeded

seems to be working (sending packets from the sec, will try from the pri)

i don't see it turn on up the pri, i tried pinging the real address .253 and it showed up...

A.  yes there is a implicit deny, as we are only interested in seeing the ICMP debug, and we dont need to apply it on any interface, as we are not filtering any incoming or outgoing traffic, but the debug output only.

Hi ,

issue the command Clear mac-address table dynamic and check it once.

With Rgds,

M Satish Kumar

clear max didn't fix anything but it got me looking at the arp table as well.

standby#sh arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  a.b.c.1           210   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.2            29   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.4           192   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.7           126   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.9           167   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.10          155   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.12          112   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.13          171   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.15          174   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.99           50   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.127          33   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.129         193   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.199          38   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.250          18   d0d0.fd5b.c5bd  ARPA   Vlan1

Internet  a.b.c.251          35   d0d0.fd99.079b  ARPA   Vlan1

Internet  a.b.c.252           -   c471.fe78.4923  ARPA   Vlan1

Internet  a.b.c.253           0   588d.09bb.9b5b  ARPA   Vlan1

Internet  a.b.c.254          60   0000.0c07.ac00  ARPA   Vlan1

standby#show mac-address-table

EHWIC Slot: 0

Destination Address     Address Type    VLAN    Destination Port

-------------------     ------------    ----    -----------------

c471.fe78.4923          Self               1    Vlan1

d0d0.fd5b.c5bd          Dynamic            1    GigabitEthernet0/0/0

d0d0.fd99.079b          Dynamic            1    GigabitEthernet0/0/3

0000.0c07.ac00          Dynamic            1    GigabitEthernet0/0/0

588d.09bb.9b5b          Dynamic            1    GigabitEthernet0/0/0

d0d0.fd94.c628          Dynamic            1    GigabitEthernet0/0/0

standby#sh vlan-switch

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Gi0/0/0, Gi0/0/2, Gi0/0/3

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        1002   1003

so gi0/0/0 is direct attach cable to primary router

so gi0/0/3 is attached to the sw (stacked switch this to one the other router to the other switch)

so gi0/0/2 not connected

it looks all okay...

EDIT -> all this is from the standby router

ebarticel
Level 4
Level 4

I think you should check the authentication as well and maybe have a delay timer configured with preempt command

Hope it helps

Eugen

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: